Fixes for S3 DCE/RPC GSSAPI with Heimdal

simo idra at samba.org
Mon Apr 25 22:29:56 MDT 2011 

On Tue, 2011-04-26 at 09:24 +1000, Andrew Bartlett wrote:
> On Mon, 2011-04-25 at 07:48 -0400, simo wrote:
> > On Sat, 2011-04-23 at 18:03 +1000, Andrew Bartlett wrote:
> > > On Sat, 2011-04-23 at 08:48 +0200, Luke Howard wrote:
> > > > >> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.
> > > > > 
> > > > > What are the limitations?
> > > > 
> > > > I believe it works only with "newer" (post-RC4) enctypes. At least, that's my quick reading of the code.
> > > > 
> > > > > I don't currently propose to use this code for any AD operations.
> > > > > However, as this is a supported part of Samba3, I do want it to be
> > > > > secure, and operate for at least the existing tests we have, which use
> > > > > arcfour-hmac-md5.  
> > > > 
> > > > The question is what happens if you try gss_wrap_iov() with rc4-hmac. My reading of lib/gssapi/krb5/aeap.c is that you will get GSS_S_FAILURE.
> > > 
> > > Perhaps it's upgrading the crypto, but regardless I have a series of
> > > patches that don't change the gss_wrap_iov() code and do appear to work.
> > > 
> > > The main question I'm looking at (and hoping for an answer from Simo
> > > after Easter) is are there any remaining issues or objections with these
> > > PAC changes:
> > > 
> > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-fix
> > > in particular:
> > > http://git.samba.org/?p=abartlet/samba.git/.git;a=commitdiff;h=7e7cae6801599e6377b9e05c8c289f0129005ef6
> > 
> > Not sure about "GSE" definitions in libcli/auth/kerberos_pac.c, for a
> > quick look it feels like we are messing up dependencies again and
> > breaking abstractions.
> > the gse stuff was meant to be self contained so that you knew where to
> > look to handle *any* gssapi compatibility issue right there.
> > 
> > Can you leave all gse related stuff in librpc/crypto/gse* ?
> 
> I'm sorry for leaving the GSE prefix on the OID - I can certainly pick
> another prefix.  

That's not the point.

> > I explicilty avoided to make a mess by combining all the old manual
> > gssapi stuff and kerberos wrapper, so that we can make head and tails of
> > the new stuff. The idea was to then slowly start replacing also the
> > manual gssapi stuff with gse_* functions my moving the gse stuff in
> > block into a common dir if necessary. But still keeping it separate from
> > the old cruft.
> 
> I can put it in libcli/auth/gssapi_pac.c if you prefer.  I want to have
> it in the top level because a later patch in the series uses it for
> Samba4's PAC needs as well.  (As I said at the outset, I want to do this
> right, once for all of Samba). 
> 
> I'm sorry that we never really spoke about your aims and objectives for
> the GSE code, so it seems I've taken a different direction to what you
> were aiming for.  I wasn't aware you wanted to make the GSE layer the
> common GSSAPI abstraction across all of Samba.  

I certainly do not want to have dependencies all over the code again, so
we definitely need to discuss how merging is done.

> We could certainly do that, and perhaps we can work on that at SambaXP? 

Yup, although I won't be there for long, so grab me as soon as you can
or it might be too late.

> My short-term aim was just to pull the PAC parsing and verification as
> low in the stack as possible, to remove the double-verification, and put
> as much as possible of it in common.  

I think we've lived with duplication long enough that we can avoid
pulling at all costs. I know it is tempting, but there many other things
that needs to be done too, this is not that urgent, except for the part
where we make things work with both Kerberos implementations.

> Ideally I was hoping to have the parsing into PAC_DATA or even better
> PAC_LOGON_INFO into a renamed gssapi_obtain_pac_blob(), using either our
> routines (kerberos_pac.c) or the krb5_pac routines.  However, if it's OK
> with you I would prefer to leave that and the consolidation of GSE as a
> base abstraction for a later time. 

Yes please.

> I'll fix these things up and post you a new patch shortly. 

Thank you.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list