Fixes for S3 DCE/RPC GSSAPI with Heimdal

Andrew Bartlett abartlet at
Mon Apr 25 17:24:12 MDT 2011

On Mon, 2011-04-25 at 07:48 -0400, simo wrote:
> On Sat, 2011-04-23 at 18:03 +1000, Andrew Bartlett wrote:
> > On Sat, 2011-04-23 at 08:48 +0200, Luke Howard wrote:
> > > >> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.
> > > > 
> > > > What are the limitations?
> > > 
> > > I believe it works only with "newer" (post-RC4) enctypes. At least, that's my quick reading of the code.
> > > 
> > > > I don't currently propose to use this code for any AD operations.
> > > > However, as this is a supported part of Samba3, I do want it to be
> > > > secure, and operate for at least the existing tests we have, which use
> > > > arcfour-hmac-md5.  
> > > 
> > > The question is what happens if you try gss_wrap_iov() with rc4-hmac. My reading of lib/gssapi/krb5/aeap.c is that you will get GSS_S_FAILURE.
> > 
> > Perhaps it's upgrading the crypto, but regardless I have a series of
> > patches that don't change the gss_wrap_iov() code and do appear to work.
> > 
> > The main question I'm looking at (and hoping for an answer from Simo
> > after Easter) is are there any remaining issues or objections with these
> > PAC changes:
> > 
> >;a=shortlog;h=refs/heads/krb5-fix
> > in particular:
> >;a=commitdiff;h=7e7cae6801599e6377b9e05c8c289f0129005ef6
> Not sure about "GSE" definitions in libcli/auth/kerberos_pac.c, for a
> quick look it feels like we are messing up dependencies again and
> breaking abstractions.
> the gse stuff was meant to be self contained so that you knew where to
> look to handle *any* gssapi compatibility issue right there.
> Can you leave all gse related stuff in librpc/crypto/gse* ?

I'm sorry for leaving the GSE prefix on the OID - I can certainly pick
another prefix.  

> I explicilty avoided to make a mess by combining all the old manual
> gssapi stuff and kerberos wrapper, so that we can make head and tails of
> the new stuff. The idea was to then slowly start replacing also the
> manual gssapi stuff with gse_* functions my moving the gse stuff in
> block into a common dir if necessary. But still keeping it separate from
> the old cruft.

I can put it in libcli/auth/gssapi_pac.c if you prefer.  I want to have
it in the top level because a later patch in the series uses it for
Samba4's PAC needs as well.  (As I said at the outset, I want to do this
right, once for all of Samba). 

I'm sorry that we never really spoke about your aims and objectives for
the GSE code, so it seems I've taken a different direction to what you
were aiming for.  I wasn't aware you wanted to make the GSE layer the
common GSSAPI abstraction across all of Samba.  

We could certainly do that, and perhaps we can work on that at SambaXP? 

My short-term aim was just to pull the PAC parsing and verification as
low in the stack as possible, to remove the double-verification, and put
as much as possible of it in common.  

Ideally I was hoping to have the parsing into PAC_DATA or even better
PAC_LOGON_INFO into a renamed gssapi_obtain_pac_blob(), using either our
routines (kerberos_pac.c) or the krb5_pac routines.  However, if it's OK
with you I would prefer to leave that and the consolidation of GSE as a
base abstraction for a later time. 

I'll fix these things up and post you a new patch shortly. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list