Fixes for S3 DCE/RPC GSSAPI with Heimdal
Luke Howard
lukeh at padl.com
Mon Apr 18 10:40:22 MDT 2011
On 18/04/2011, at 1:08 AM, simo wrote:
> On Mon, 2011-04-18 at 06:59 +1000, Andrew Bartlett wrote:
>> Luke,
>>
>> I've asked you below about this history of PAC functions in MIT. Did
>> MIT kerberos ever allow PAC access without doing the crypto, authtime
>> and principal checking?
I believe so, unfortunately. 1.7 introduced gsskrb5_extract_authz_data_from_sec_context(); you only know the PAC is verified if you use gss_get_name_attribute("urn:mspac:") and authenticated is set to TRUE.
This is different to Heimdal, which fails if the PAC does not verify (or at least does not return it via gsskrb5_extract_authz_data_from_sec_context() in this case) but does not support using the naming extensions APIs to get the PAC.
For better or worse, MIT is consistent across releases but inconsistent with Heimdal.
-- Luke
More information about the samba-technical
mailing list