KDC canon test and GSSAPI
Andreas Schneider
asn at samba.org
Wed Jul 6 14:54:49 UTC 2016
Hi Andrew,
I've wondered why we are using gensec_krb5 and not gensec_gssapi in the KDC
canon tests. I didn't see a reason in the code why we need gensec_krb5 so I
just replaced it with gensec_gssapi and it works.
Just the test which compares enterprise principals fails, but that test is
wrong. Enterprise principals are used in AS-REQs and are canonicalized. On the
server when they got processed and we call gss_accept_sec_context() it doesn't
matter anymore. We can't expect that the principal comes out unmodified here.
So we I think we should compare it unescaped to get rid of gensec_krb5.
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-WIP-kdc-canon-heimdal-gssapi.patch
Type: text/x-patch
Size: 1524 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/31c80ee5/0001-WIP-kdc-canon-heimdal-gssapi.bin>
More information about the samba-technical
mailing list