heimdal: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
Andrew Bartlett
abartlet at samba.org
Thu Mar 12 02:51:10 MDT 2015
On Thu, 2015-03-12 at 09:39 +0100, Stefan (metze) Metzmacher wrote:
> ...and here are the patches...
>
>
> Am 12.03.2015 um 09:26 schrieb Stefan (metze) Metzmacher:
> > Hi Andrew,
> >
> > here are some patches to remove the KRB5_PADATA_CLIENT_CANONICALIZED
> > handling
> > from heimdal. This PADATA types uses number 133 which is now assigned to
> > PA-FX-COOKIE in rfc6113.
> >
> > KRB5_PADATA_CLIENT_CANONICALIZED was specified in
> > draft-ietf-krb-wg-kerberos-referrals-11.txt,
> > but it was removed in the final rfc6806. The protection can be archived
> > by using FAST (rfc6113).
> >
> > I noticed that our KDC uses KRB5_PADATA_CLIENT_CANONICALIZED in its
> > responses, while I improved the wireshark kerberos dissector.
> > https://git.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-current
> > has support for FAST (rfc6113) and a lot of other stuff from [MS-KILE],
> > [MS-SFU] and [MS-PAC].
> >
> > These patches are also part of my master4-forest-ok branch
> > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
> > which Günther is currently reviewing.
Thanks for keeping on top of this stuff, I saw that in your branch and
was impressed.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list