Fixes for S3 DCE/RPC GSSAPI with Heimdal

Andrew Bartlett abartlet at samba.org
Fri Apr 22 15:32:52 MDT 2011


On Fri, 2011-04-22 at 12:07 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.

What are the limitations?

> Before we can use it, we need to tests with all encryption types
> supported by AD.

Samba3 only supports DES and arcfour-hmac-md5, as the same keys are used
for the psudo-GSS at the SMB layer. 

> Note: that we still need to also support the des types,
> as it's possible to configure servers to only use des
> in AD.

I don't currently propose to use this code for any AD operations.
However, as this is a supported part of Samba3, I do want it to be
secure, and operate for at least the existing tests we have, which use
arcfour-hmac-md5.  

Heimdal no longer supports DES operation without setting krb5.conf
settings, just as Win2008 requires registry settings, and it is quite
insecure in any case.  As such I'm not bothered by this limitation.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list