KDC canon test and GSSAPI

Andrew Bartlett abartlet at samba.org
Thu Jul 7 07:50:02 UTC 2016

On Wed, 2016-07-06 at 16:54 +0200, Andreas Schneider wrote:
> Hi Andrew,
> I've wondered why we are using gensec_krb5 and not gensec_gssapi in
> the KDC 
> canon tests. I didn't see a reason in the code why we need
> gensec_krb5 so I 
> just replaced it with gensec_gssapi and it works.
> Just the test which compares enterprise principals fails, but that
> test is 
> wrong. Enterprise principals are used in AS-REQs and are
> canonicalized. On the 
> server when they got processed and we call gss_accept_sec_context()
> it doesn't 
> matter anymore. We can't expect that the principal comes out
> unmodified here.
> So we I think we should compare it unescaped to get rid of
> gensec_krb5.

We found some very interesting behaviours here in the Microsoft KDC
that showed up here.  If canon wasn't specified, the enterprise
principal name made it all the way to the application server!
That is why it is done with gensec_krb5.  Building this test really
opened a can of worms - we were trying just to prove that a user could
use enterprise names in the AS-REQ, but it proved much harder to get
right than we ever expected.
Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list