Fixes for S3 DCE/RPC GSSAPI with Heimdal

Andrew Bartlett abartlet at
Wed Apr 20 20:40:21 MDT 2011

On Thu, 2011-04-21 at 11:16 +1000, Andrew Bartlett wrote:
> On Wed, 2011-04-20 at 17:05 +1000, Andrew Bartlett wrote:
> > Luke,
> > 
> > Am I correct in saying that MIT kerberos versions (1.6?) that don't
> > provide gss_get_name_attribute() also do not provide any way for the
> > caller to verify the PAC?  In particular, I can't see a way to get the
> > service keyblock back from GSSAPI.  
> > 
> > The reason I ask is that it seems that it is impossible to securely use
> > the PAC in versions 1.6 and below, and I want to ensure we don't release
> > Samba 3.6 with a security hole.
> > 
> > Simo,
> > 
> > If this is the case, should we simply decide not to support GSSAPI
> > secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
> > not gss_get_name_attribute). 
> > 
> > I am writing a wrapper that checks the name and timestamp, but this
> > seems pointless if we don't check the actual signature on the PAC.
> See
>;a=shortlog;h=refs/heads/krb5-fix for my latest patch set.
> Ironically, in the success case the release_oid fix isn't required.
> This bothers me - we should look into if we are just leaking it. 
> This works for the top level build and autoconf, and I think it's ready
> for your review.  I'm having difficulty with the s3-waf build, I'll keep
> nutting at it and get Tridge's help on that when he is available. 

I've fixed the build issue.  I think this patch set is good to go, with
only your final position on this OID mess to decide. 

> I'll move Samba4 to also use this function when I get a chance. 

That's now done.  Hopefully this makes porting Samba4's code (into
common or for MIT krb5) easier in future.  We should add similar
wrappers for the session key. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list