Fixes for S3 DCE/RPC GSSAPI with Heimdal

simo idra at
Tue Apr 26 06:11:17 MDT 2011

On Tue, 2011-04-26 at 15:21 +1000, Andrew Bartlett wrote:
> On Tue, 2011-04-26 at 00:29 -0400, simo wrote:
> > On Tue, 2011-04-26 at 09:24 +1000, Andrew Bartlett wrote:
> > > On Mon, 2011-04-25 at 07:48 -0400, simo wrote:
> > > > I explicilty avoided to make a mess by combining all the old manual
> > > > gssapi stuff and kerberos wrapper, so that we can make head and tails of
> > > > the new stuff. The idea was to then slowly start replacing also the
> > > > manual gssapi stuff with gse_* functions my moving the gse stuff in
> > > > block into a common dir if necessary. But still keeping it separate from
> > > > the old cruft.
> > > 
> > > I can put it in libcli/auth/gssapi_pac.c if you prefer.  I want to have
> > > it in the top level because a later patch in the series uses it for
> > > Samba4's PAC needs as well.  (As I said at the outset, I want to do this
> > > right, once for all of Samba). 
> > > 
> > > I'm sorry that we never really spoke about your aims and objectives for
> > > the GSE code, so it seems I've taken a different direction to what you
> > > were aiming for.  I wasn't aware you wanted to make the GSE layer the
> > > common GSSAPI abstraction across all of Samba.  
> > 
> > I certainly do not want to have dependencies all over the code again, so
> > we definitely need to discuss how merging is done.
> Simo,
> I'm sorry, I'm having difficulty pinning down your concerns.  Can you
> point out exactly what dependencies you are concerned about, so I can
> try and address this?
> Is is the creation of gssapi_error_string with the other krb5
> compatibility wrapper functions?

Yes, I'd like to avoid that for now.

> Is it moving the PAC blob fetching function in common, where I can use
> it with Samba4 as well?

The PAC is a bit of a special case, I can see the value in having it in

> > > We could certainly do that, and perhaps we can work on that at SambaXP? 
> > 
> > Yup, although I won't be there for long, so grab me as soon as you can
> > or it might be too late.
> > 
> > > My short-term aim was just to pull the PAC parsing and verification as
> > > low in the stack as possible, to remove the double-verification, and put
> > > as much as possible of it in common.  
> > 
> > I think we've lived with duplication long enough that we can avoid
> > pulling at all costs. I know it is tempting, but there many other things
> > that needs to be done too, this is not that urgent, except for the part
> > where we make things work with both Kerberos implementations.
> I'm sorry, I'm not sure I understand.  Your preference is that having
> done this work, that we keep it in duplicate?  
> With the exception that we have these basic functions in common (which
> allows much better testing, because Samba4 does much more kerberos
> testing) the patches I have proposed are the minimum to have Samba3 use
> a secure, authenticated PAC, and to get Samba3 tested in combination
> with Samba4.
> I hope this updated branch addresses your concerns:

Moving the pac extraction in another file is ok, although "libcli" as
the place where to put it sounds wrong as the PAC is always verified on
servers not clients.

You removed gse_get_authz_data() although I asked you to leave it there
(not the use of it, the function itself).

You still unconditionally remove gss_release_oid() when I asked you to
ifdef it out for heimdal given it has problems, but MIT technically
requires it.

Please do not move gse_errstr() I prefer it to be duplicate but have the
code confined within the gse framework, that function is super simple
and we don't gain much by making it common, except more confusion when
you read the gse code.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list