KDC canon test and GSSAPI
Andrew Bartlett
abartlet at samba.org
Thu Jul 7 07:50:02 UTC 2016
On Wed, 2016-07-06 at 16:54 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> I've wondered why we are using gensec_krb5 and not gensec_gssapi in
> the KDC
> canon tests. I didn't see a reason in the code why we need
> gensec_krb5 so I
> just replaced it with gensec_gssapi and it works.
>
> Just the test which compares enterprise principals fails, but that
> test is
> wrong. Enterprise principals are used in AS-REQs and are
> canonicalized. On the
> server when they got processed and we call gss_accept_sec_context()
> it doesn't
> matter anymore. We can't expect that the principal comes out
> unmodified here.
>
> So we I think we should compare it unescaped to get rid of
> gensec_krb5.
We found some very interesting behaviours here in the Microsoft KDC
that showed up here. If canon wasn't specified, the enterprise
principal name made it all the way to the application server!
That is why it is done with gensec_krb5. Building this test really
opened a can of worms - we were trying just to prove that a user could
use enterprise names in the AS-REQ, but it proved much harder to get
right than we ever expected.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list