Fixes for S3 DCE/RPC GSSAPI with Heimdal

Andrew Bartlett abartlet at
Sat Apr 23 02:03:55 MDT 2011

On Sat, 2011-04-23 at 08:48 +0200, Luke Howard wrote:
> >> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.
> > 
> > What are the limitations?
> I believe it works only with "newer" (post-RC4) enctypes. At least, that's my quick reading of the code.
> > I don't currently propose to use this code for any AD operations.
> > However, as this is a supported part of Samba3, I do want it to be
> > secure, and operate for at least the existing tests we have, which use
> > arcfour-hmac-md5.  
> The question is what happens if you try gss_wrap_iov() with rc4-hmac. My reading of lib/gssapi/krb5/aeap.c is that you will get GSS_S_FAILURE.

Perhaps it's upgrading the crypto, but regardless I have a series of
patches that don't change the gss_wrap_iov() code and do appear to work.

The main question I'm looking at (and hoping for an answer from Simo
after Easter) is are there any remaining issues or objections with these
PAC changes:;a=shortlog;h=refs/heads/krb5-fix
in particular:;a=commitdiff;h=7e7cae6801599e6377b9e05c8c289f0129005ef6

Getting gss_wrap_iov() to work for all enc types in Heimdal certainly
would be nice (and would allow Samba4 to do header-signing in DCE/RPC),
but that's a matter for separate work on Heimdal. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list