Fixes for S3 DCE/RPC GSSAPI with Heimdal
lukeh at padl.com
Mon Apr 18 10:40:22 MDT 2011
On 18/04/2011, at 1:08 AM, simo wrote:
> On Mon, 2011-04-18 at 06:59 +1000, Andrew Bartlett wrote:
>> I've asked you below about this history of PAC functions in MIT. Did
>> MIT kerberos ever allow PAC access without doing the crypto, authtime
>> and principal checking?
I believe so, unfortunately. 1.7 introduced gsskrb5_extract_authz_data_from_sec_context(); you only know the PAC is verified if you use gss_get_name_attribute("urn:mspac:") and authenticated is set to TRUE.
This is different to Heimdal, which fails if the PAC does not verify (or at least does not return it via gsskrb5_extract_authz_data_from_sec_context() in this case) but does not support using the naming extensions APIs to get the PAC.
For better or worse, MIT is consistent across releases but inconsistent with Heimdal.
More information about the samba-technical