Fixes for S3 DCE/RPC GSSAPI with Heimdal

[Andrew Bartlett]

On Thu, 2011-04-21 at 11:16 +1000, Andrew Bartlett wrote:
> On Wed, 2011-04-20 at 17:05 +1000, Andrew Bartlett wrote:
> 
> > Luke,
> > 
> > Am I correct in saying that MIT kerberos versions (1.6?) that don't
> > provide gss_get_name_attribute() also do not provide any way for the
> > caller to verify the PAC?  In particular, I can't see a way to get the
> > service keyblock back from GSSAPI.  
> > 
> > The reason I ask is that it seems that it is impossible to securely use
> > the PAC in versions 1.6 and below, and I want to ensure we don't release
> > Samba 3.6 with a security hole.
> > 
> > Simo,
> > 
> > If this is the case, should we simply decide not to support GSSAPI
> > secured RPC against MIT 1.6? (that version I think had gss_wrap_iov but
> > not gss_get_name_attribute). 
> > 
> > I am writing a wrapper that checks the name and timestamp, but this
> > seems pointless if we don't check the actual signature on the PAC.
> 
> See
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-fix for my latest patch set.
> 
> Ironically, in the success case the release_oid fix isn't required.
> This bothers me - we should look into if we are just leaking it. 
> 
> This works for the top level build and autoconf, and I think it's ready
> for your review.  I'm having difficulty with the s3-waf build, I'll keep
> nutting at it and get Tridge's help on that when he is available. 

I've fixed the build issue.  I think this patch set is good to go, with
only your final position on this OID mess to decide. 

> I'll move Samba4 to also use this function when I get a chance. 

That's now done.  Hopefully this makes porting Samba4's code (into
common or for MIT krb5) easier in future.  We should add similar
wrappers for the session key. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org