Fixes for S3 DCE/RPC GSSAPI with Heimdal
Luke Howard
lukeh at padl.com
Thu Apr 21 03:07:44 MDT 2011
You can iterate through the keytab, not ideal and won't work for user to user, but fine for most use. That's what XAD - which effectively used 1.7 - did.
Sent from my iPhone
On 21/04/2011, at 2:23, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2011-04-21 at 01:02 +0200, Luke Howard wrote:
>> Hi Andrew,
>>
>>> Am I correct in saying that MIT kerberos versions (1.6?) that don't
>>> provide gss_get_name_attribute() also do not provide any way for the
>>> caller to verify the PAC? In particular, I can't see a way to get the
>>> service keyblock back from GSSAPI.
>>
>> Sorry I wasn't very clear with this. gss_get_name_attribute() came in 1.8. AFAIK versions prior to 1.7 don't provide any way to get at the authorization data from GSS.
>>
>>> The reason I ask is that it seems that it is impossible to securely use
>>> the PAC in versions 1.6 and below, and I want to ensure we don't release
>>> Samba 3.6 with a security hole.
>>
>> You can't get at the PAC in 1.6. In 1.7, you have to verify it yourself. In 1.8 and above, you know it's verified if you retrieve it via gss_get_name_attribute() and authenticated is non-zero.
>
> OK. To be clear, in 1.7 you also can't easily verify it yourself, as no
> part of GSSAPI will give you the service keyblock?
>
>>> If this is the case, should we simply decide not to support GSSAPI
>>> secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
>>> not gss_get_name_attribute).
>>
>> I think you're a version off. 1.7 had gss_wrap_iov, 1.8 had gss_get_name_attribute.
>
> Yes, sorry about that.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
More information about the samba-technical
mailing list