Fixes for S3 DCE/RPC GSSAPI with Heimdal

Luke Howard lukeh at
Mon Apr 18 10:40:22 MDT 2011

On 18/04/2011, at 1:08 AM, simo wrote:

> On Mon, 2011-04-18 at 06:59 +1000, Andrew Bartlett wrote:
>> Luke,
>> I've asked you below about this history of PAC functions in MIT.  Did
>> MIT kerberos ever allow PAC access without doing the crypto, authtime
>> and principal checking?

I believe so, unfortunately. 1.7 introduced gsskrb5_extract_authz_data_from_sec_context(); you only know the PAC is verified if you use gss_get_name_attribute("urn:mspac:") and authenticated is set to TRUE.

This is different to Heimdal, which fails if the PAC does not verify (or at least does not return it via gsskrb5_extract_authz_data_from_sec_context() in this case) but does not support using the naming extensions APIs to get the PAC.

For better or worse, MIT is consistent across releases but inconsistent with Heimdal.

-- Luke

More information about the samba-technical mailing list