KDC canon test and GSSAPI

Andreas Schneider asn at samba.org
Wed Jul 6 14:54:49 UTC 2016

Hi Andrew,

I've wondered why we are using gensec_krb5 and not gensec_gssapi in the KDC 
canon tests. I didn't see a reason in the code why we need gensec_krb5 so I 
just replaced it with gensec_gssapi and it works.

Just the test which compares enterprise principals fails, but that test is 
wrong. Enterprise principals are used in AS-REQs and are canonicalized. On the 
server when they got processed and we call gss_accept_sec_context() it doesn't 
matter anymore. We can't expect that the principal comes out unmodified here.

So we I think we should compare it unescaped to get rid of gensec_krb5.

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-WIP-kdc-canon-heimdal-gssapi.patch
Type: text/x-patch
Size: 1524 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/31c80ee5/0001-WIP-kdc-canon-heimdal-gssapi.bin>

More information about the samba-technical mailing list