Fixes for S3 DCE/RPC GSSAPI with Heimdal

Andrew Bartlett abartlet at
Mon Apr 25 23:21:01 MDT 2011

On Tue, 2011-04-26 at 00:29 -0400, simo wrote:
> On Tue, 2011-04-26 at 09:24 +1000, Andrew Bartlett wrote:
> > On Mon, 2011-04-25 at 07:48 -0400, simo wrote:

> > > I explicilty avoided to make a mess by combining all the old manual
> > > gssapi stuff and kerberos wrapper, so that we can make head and tails of
> > > the new stuff. The idea was to then slowly start replacing also the
> > > manual gssapi stuff with gse_* functions my moving the gse stuff in
> > > block into a common dir if necessary. But still keeping it separate from
> > > the old cruft.
> > 
> > I can put it in libcli/auth/gssapi_pac.c if you prefer.  I want to have
> > it in the top level because a later patch in the series uses it for
> > Samba4's PAC needs as well.  (As I said at the outset, I want to do this
> > right, once for all of Samba). 
> > 
> > I'm sorry that we never really spoke about your aims and objectives for
> > the GSE code, so it seems I've taken a different direction to what you
> > were aiming for.  I wasn't aware you wanted to make the GSE layer the
> > common GSSAPI abstraction across all of Samba.  
> I certainly do not want to have dependencies all over the code again, so
> we definitely need to discuss how merging is done.


I'm sorry, I'm having difficulty pinning down your concerns.  Can you
point out exactly what dependencies you are concerned about, so I can
try and address this?

Is is the creation of gssapi_error_string with the other krb5
compatibility wrapper functions?

Is it moving the PAC blob fetching function in common, where I can use
it with Samba4 as well?

> > We could certainly do that, and perhaps we can work on that at SambaXP? 
> Yup, although I won't be there for long, so grab me as soon as you can
> or it might be too late.
> > My short-term aim was just to pull the PAC parsing and verification as
> > low in the stack as possible, to remove the double-verification, and put
> > as much as possible of it in common.  
> I think we've lived with duplication long enough that we can avoid
> pulling at all costs. I know it is tempting, but there many other things
> that needs to be done too, this is not that urgent, except for the part
> where we make things work with both Kerberos implementations.

I'm sorry, I'm not sure I understand.  Your preference is that having
done this work, that we keep it in duplicate?  

With the exception that we have these basic functions in common (which
allows much better testing, because Samba4 does much more kerberos
testing) the patches I have proposed are the minimum to have Samba3 use
a secure, authenticated PAC, and to get Samba3 tested in combination
with Samba4.

I hope this updated branch addresses your concerns:;a=shortlog;h=refs/heads/krb5-fix

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list