Fixes for S3 DCE/RPC GSSAPI with Heimdal

Andrew Bartlett abartlet at
Wed Apr 20 18:23:01 MDT 2011

On Thu, 2011-04-21 at 01:02 +0200, Luke Howard wrote:
> Hi Andrew,
> > Am I correct in saying that MIT kerberos versions (1.6?) that don't
> > provide gss_get_name_attribute() also do not provide any way for the
> > caller to verify the PAC?  In particular, I can't see a way to get the
> > service keyblock back from GSSAPI.  
> Sorry I wasn't very clear with this. gss_get_name_attribute() came in 1.8. AFAIK versions prior to 1.7 don't provide any way to get at the authorization data from GSS.
> > The reason I ask is that it seems that it is impossible to securely use
> > the PAC in versions 1.6 and below, and I want to ensure we don't release
> > Samba 3.6 with a security hole.
> You can't get at the PAC in 1.6. In 1.7, you have to verify it yourself. In 1.8 and above, you know it's verified if you retrieve it via gss_get_name_attribute() and authenticated is non-zero.

OK.  To be clear, in 1.7 you also can't easily verify it yourself, as no
part of GSSAPI will give you the service keyblock?

> > If this is the case, should we simply decide not to support GSSAPI
> > secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
> > not gss_get_name_attribute). 
> I think you're a version off. 1.7 had gss_wrap_iov, 1.8 had gss_get_name_attribute.

Yes, sorry about that.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list