Fixes for S3 DCE/RPC GSSAPI with Heimdal
Andrew Bartlett
abartlet at samba.org
Tue Apr 19 17:24:46 MDT 2011
On Tue, 2011-04-19 at 07:51 -0400, simo wrote:
> On Mon, 2011-04-18 at 12:07 +1000, Andrew Bartlett wrote:
> > On Sun, 2011-04-17 at 19:08 -0400, simo wrote:
> > > On Mon, 2011-04-18 at 06:59 +1000, Andrew Bartlett wrote:
> > > > Luke,
> > > >
> > > > I've asked you below about this history of PAC functions in MIT. Did
> > > > MIT kerberos ever allow PAC access without doing the crypto, authtime
> > > > and principal checking?
> > > >
> > > > On Sat, 2011-04-16 at 12:16 -0400, simo wrote:
> > > > > On Sat, 2011-04-16 at 19:58 +1000, Andrew Bartlett wrote:
> > > > > > Simo,
> > > > > >
> > > > > > I've been working to test the Samba3 binaries produced by the top level
> > > > > > build, and this builds against Samba4's Heimdal at this time.
> > > > > >
> > > > > > When you proposed your DCE/RPC GSSAPI patches, you asked that I check
> > > > > > them against Heimdal, and sadly I only got as far are compiling them,
> > > > > > not running them.
> > > > > >
> > > > > > These patches makes the DCE/RPC GSSAPI server work with the newly added
> > > > > > ktest tests in Samba3's make test, when run from the top level build.
> > > > > >
> > > > > > Can you let me know if these changes are OK, or if you want some further
> > > > > > explaination?
> > > > > >
> > > > > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-fix
> > > > > >
> > > > > > In particular I'm referring to:
> > > > > >
> > > > > > s3-gse: Allow the GSSAPI wrapper to load a keytab using
> > > > > > gss_krb5_import_cred():
> > > > > > http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=abfe0bb3a73a3d00d0e75ae2405bf064f6abbf89
> > > > >
> > > > > Why did you remove the ability to pass in an arbitrary keytab ?
> > > >
> > > > Because it was unused, and the Heimdal function involved takes an open
> > > > keytab, not a name. I just didn't want to open and figure out how to
> > > > reference an additional keytab if no caller used that facility. Do you
> > > > have plans for this function that involve a keytab that Samba doesn't
> > > > manage?
> > >
> > > Technically yes, but I haven't needed it so far. I just don't want to
> > > break Heimdal later if it turns out I need it and revert this change.
> >
> > OK, so where do we go from here? Can we add code to open the keytab and
> > keep hold of it etc when we find an actual need? The approach of using
> > an open keytab avoids a use of a global variable that you had a FIXME
> > for.
>
> Yes, I guess we can.
Thanks.
> > > > I'll fix this up and send it back to you.
> >
> > I've fixed things up again, and found out how to use the generic
> > gss_inquire_sec_context_by_oid() to get the PAC from Heimdal. So, there
> > are now less #ifdefs in the code.
> >
> > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-fix
> >
> > Please let me know what you think.
>
> The patch about getting the pac looks much better to me now.
> The gss_release_oid() removal is still controversial, and for the last
> one I guess we need to discuss it a bit with Luke after what he wrote.
OK, so I'll slay this dragon once and for all. I'll write a single
function that can be shared between Samba3 and Samba4, that returns a
PAC structure, uses tries the new MIT function (if found
by ./configure), then the Heimdal OID, and then the MIT OID, doing a
full verification in the latter case.
At least then it should avoid this being a sticking point when we try to
merge more of this code in future. Once all that's done we should
probably get this into 3.6.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list