Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error

Andrew Bartlett abartlet at samba.org
Sun Mar 20 22:32:14 UTC 2016


On Sun, 2016-03-20 at 15:07 -0700, Richard Sharpe wrote:
> On Sun, Mar 20, 2016 at 2:29 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> > 
> > On Sun, 2016-03-20 at 07:56 -0700, Richard Sharpe wrote:
> > > 
> > > Sigh,
> > > 
> > > Look at frame 7 in the attached to convince yourself that it is a
> > > Windows server responding (I don't think we support NEGOEX even
> > > now),
> > > and frame 11 to see how Windows responds when an error token is
> > > returned.
> > > 
> > > I don't gratuitously make these changes.
> > Thanks, I didn't previously have the context you gave above.  A
> > matching test would be a very good thing here, because this area is
> > some of the more delicate in Samba, and we want to keep getting it
> > right.
> Got to think about the test. The client and the KDC have to be sync'd
> within the required 5-minutes or whatever, and then the server we are
> contacting has to have drifted far forward or backwards.
> 
> Not sure if this is even a case that can arise for Samba as an AD DC.

Or we get a ticket with a 10sec expiry, and then attempt to use it.

The hard part may be convincing the client to still try and send it -
but you could do that by marshalling the packet, then delaying sending
it.  I know I'm asking for something tricky, but good tests here would
be really, really good.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba









More information about the samba-technical mailing list