Fixes for S3 DCE/RPC GSSAPI with Heimdal

simo idra at
Mon Apr 25 05:48:39 MDT 2011

On Sat, 2011-04-23 at 18:03 +1000, Andrew Bartlett wrote:
> On Sat, 2011-04-23 at 08:48 +0200, Luke Howard wrote:
> > >> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.
> > > 
> > > What are the limitations?
> > 
> > I believe it works only with "newer" (post-RC4) enctypes. At least, that's my quick reading of the code.
> > 
> > > I don't currently propose to use this code for any AD operations.
> > > However, as this is a supported part of Samba3, I do want it to be
> > > secure, and operate for at least the existing tests we have, which use
> > > arcfour-hmac-md5.  
> > 
> > The question is what happens if you try gss_wrap_iov() with rc4-hmac. My reading of lib/gssapi/krb5/aeap.c is that you will get GSS_S_FAILURE.
> Perhaps it's upgrading the crypto, but regardless I have a series of
> patches that don't change the gss_wrap_iov() code and do appear to work.
> The main question I'm looking at (and hoping for an answer from Simo
> after Easter) is are there any remaining issues or objections with these
> PAC changes:
> in particular:

Not sure about "GSE" definitions in libcli/auth/kerberos_pac.c, for a
quick look it feels like we are messing up dependencies again and
breaking abstractions.
the gse stuff was meant to be self contained so that you knew where to
look to handle *any* gssapi compatibility issue right there.

Can you leave all gse related stuff in librpc/crypto/gse* ?

I explicilty avoided to make a mess by combining all the old manual
gssapi stuff and kerberos wrapper, so that we can make head and tails of
the new stuff. The idea was to then slowly start replacing also the
manual gssapi stuff with gse_* functions my moving the gse stuff in
block into a common dir if necessary. But still keeping it separate from
the old cruft.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list