Fixes for S3 DCE/RPC GSSAPI with Heimdal

Luke Howard lukeh at
Sat Apr 23 00:48:58 MDT 2011

>> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.
> What are the limitations?

I believe it works only with "newer" (post-RC4) enctypes. At least, that's my quick reading of the code.

> I don't currently propose to use this code for any AD operations.
> However, as this is a supported part of Samba3, I do want it to be
> secure, and operate for at least the existing tests we have, which use
> arcfour-hmac-md5.  

The question is what happens if you try gss_wrap_iov() with rc4-hmac. My reading of lib/gssapi/krb5/aeap.c is that you will get GSS_S_FAILURE.

(For the record, I tested MIT IOV against W2K8 with DES, RC4 and AES; I also tested it against itself with Camellia.)

-- Luke

More information about the samba-technical mailing list