Fixes for S3 DCE/RPC GSSAPI with Heimdal

Luke Howard lukeh at
Wed Apr 20 17:02:23 MDT 2011

Hi Andrew,

> Am I correct in saying that MIT kerberos versions (1.6?) that don't
> provide gss_get_name_attribute() also do not provide any way for the
> caller to verify the PAC?  In particular, I can't see a way to get the
> service keyblock back from GSSAPI.  

Sorry I wasn't very clear with this. gss_get_name_attribute() came in 1.8. AFAIK versions prior to 1.7 don't provide any way to get at the authorization data from GSS.

> The reason I ask is that it seems that it is impossible to securely use
> the PAC in versions 1.6 and below, and I want to ensure we don't release
> Samba 3.6 with a security hole.

You can't get at the PAC in 1.6. In 1.7, you have to verify it yourself. In 1.8 and above, you know it's verified if you retrieve it via gss_get_name_attribute() and authenticated is non-zero.

> If this is the case, should we simply decide not to support GSSAPI
> secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
> not gss_get_name_attribute). 

I think you're a version off. 1.7 had gss_wrap_iov, 1.8 had gss_get_name_attribute.

-- Luke

More information about the samba-technical mailing list