Fixes for S3 DCE/RPC GSSAPI with Heimdal
Andrew Bartlett
abartlet at samba.org
Wed Apr 20 20:40:21 MDT 2011
On Thu, 2011-04-21 at 11:16 +1000, Andrew Bartlett wrote:
> On Wed, 2011-04-20 at 17:05 +1000, Andrew Bartlett wrote:
>
> > Luke,
> >
> > Am I correct in saying that MIT kerberos versions (1.6?) that don't
> > provide gss_get_name_attribute() also do not provide any way for the
> > caller to verify the PAC? In particular, I can't see a way to get the
> > service keyblock back from GSSAPI.
> >
> > The reason I ask is that it seems that it is impossible to securely use
> > the PAC in versions 1.6 and below, and I want to ensure we don't release
> > Samba 3.6 with a security hole.
> >
> > Simo,
> >
> > If this is the case, should we simply decide not to support GSSAPI
> > secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
> > not gss_get_name_attribute).
> >
> > I am writing a wrapper that checks the name and timestamp, but this
> > seems pointless if we don't check the actual signature on the PAC.
>
> See
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-fix for my latest patch set.
>
> Ironically, in the success case the release_oid fix isn't required.
> This bothers me - we should look into if we are just leaking it.
>
> This works for the top level build and autoconf, and I think it's ready
> for your review. I'm having difficulty with the s3-waf build, I'll keep
> nutting at it and get Tridge's help on that when he is available.
I've fixed the build issue. I think this patch set is good to go, with
only your final position on this OID mess to decide.
> I'll move Samba4 to also use this function when I get a chance.
That's now done. Hopefully this makes porting Samba4's code (into
common or for MIT krb5) easier in future. We should add similar
wrappers for the session key.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list