[RFC] fix bug 12007
simo at samba.org
Mon Jul 4 15:40:05 UTC 2016
On Mon, 2016-07-04 at 00:06 +0300, Uri Simchoni wrote:
> On 07/04/2016 12:00 AM, Uri Simchoni wrote:
> > Hi,
> > Attached is a proposed fix for bug 12007 - spurious AS requests for
> > "root at my.domain.com" generated by a member server. Still running it
> > through local autobuild.
> > The issue surfaced after the April security release, that started
> > using
> > gensec_gse for binding ldap connections.
> > The root cause is that with Heimdal, gss_acquire_cred() is
> > generating
> > this AS request if the credentials are not found in the ccache. I
> > have
> > no idea what good can possibly come out of this AS request for any
> > user
> > of Kerberos. The attached fix replaces gss_acquire_cred by
> > gss_krb5_import_cred().
> > I'd like some feedback from those familiar with this code -
> > 1. It could be that the right fix is in Heimdal
> > 2. The reason for acquiring the credentials (in client context!)
> > seems
> > to be to be able to set GSS_KRB5_CRED_NO_CI_FLAGS_X option on the
> > credentials - not sure what scenario this fixes and how to test
> > there's
> > no degradation there.
> > 3. Perhaps someone can easily determine the MIT behavior - if MIT
> > is not
> > sending this request then maybe the patch should be #ifdef'd on
> > Kerberos
> > type - use the more portable gss_acquire_cred() with MIT Kerberos.
> > Thanks,
> > Uri.
> One more things - the gensec_gse code also makes an extra TGS
> requesting a TGT, because it requires delegation for the security
> context. Do we need delegation for LDAP sasl binding/wrapping?
Generally no, we don't, it should be somehow selectable, base on the
target machine's "allowed to delegate to" (IIRC) flag.
More information about the samba-technical