[RFC] fix bug 12007

Uri Simchoni uri at samba.org
Sun Jul 3 21:06:21 UTC 2016

On 07/04/2016 12:00 AM, Uri Simchoni wrote:
> Hi,
> Attached is a proposed fix for bug 12007 - spurious AS requests for
> "root at my.domain.com" generated by a member server. Still running it
> through local autobuild.
> The issue surfaced after the April security release, that started using
> gensec_gse for binding ldap connections.
> The root cause is that with Heimdal, gss_acquire_cred() is generating
> this AS request if the credentials are not found in the ccache. I have
> no idea what good can possibly come out of this AS request for any user
> of Kerberos. The attached fix replaces gss_acquire_cred by
> gss_krb5_import_cred().
> I'd like some feedback from those familiar with this code -
> 1. It could be that the right fix is in Heimdal
> 2. The reason for acquiring the credentials (in client context!) seems
> to be to be able to set GSS_KRB5_CRED_NO_CI_FLAGS_X option on the
> credentials - not sure what scenario this fixes and how to test there's
> no degradation there.
> 3. Perhaps someone can easily determine the MIT behavior - if MIT is not
> sending this request then maybe the patch should be #ifdef'd on Kerberos
> type - use the more portable gss_acquire_cred() with MIT Kerberos.
> Thanks,
> Uri.

One more things - the gensec_gse code also makes an extra TGS handshake,
requesting a TGT, because it requires delegation for the security
context. Do we need delegation for LDAP sasl binding/wrapping?


More information about the samba-technical mailing list