summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2005-08-07 20:34:38 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:31:30 -0500
commit79c1c76b26a531bba02503f26158f189cfb32560 (patch)
tree2e0be186e0358129addc3e3d6e233ed3e4e564a9 /source4/auth
parent3824a0caa8c95b75e7d98340a5c9eb8d40c0b38d (diff)
downloadsamba-79c1c76b26a531bba02503f26158f189cfb32560.tar.gz
samba-79c1c76b26a531bba02503f26158f189cfb32560.tar.bz2
samba-79c1c76b26a531bba02503f26158f189cfb32560.zip
r9196: - add a note about the Canonicalize KDCOPtion flag
- add a note about old client using the wrong checksum type for GSSAPI in the Authenticator metze (This used to be commit 07e39bd94c3ce4d255e6cf6e68dc438bb5c9f9e6)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/kerberos/kerberos-notes.txt15
1 files changed, 15 insertions, 0 deletions
diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt
index 24e6ad2403..a9b62742fe 100644
--- a/source4/auth/kerberos/kerberos-notes.txt
+++ b/source4/auth/kerberos/kerberos-notes.txt
@@ -45,6 +45,21 @@ realm to what the client asked for, even just in case differences.
Heimdal has the same problem, and this applies to the krb5 layer, not
just gssapi.
+We need to test if the canonicalisation is controlled by the KDCOption
+flags, windows always sends the Canonicalize flags
+
+Old Clients (samba3 and HPUX clients) uses 'selfmade' gssapi/krb5
+for using it in the CIFS session setup. Because they use krb5_mk_req()
+they get a chksum field depending on the encryption type, but that's wrong
+for GSSAPI (see rfc 1964 section 1.1.1). The Cheksum type 8003
+should be used in the Authenticator of the AP-REQ! That allows the channel bindings,
+the GCC_C_* req_flags and optional delegation tickets to be passed from the client to the server.
+Hower windows doesn't seems to care about if the checksum is of the wrong type,
+for CIFS SessionSetups, it seems that the req_flags are just set to 0.
+So this can't work for LDAP connections with sign or seal, or for any DCERPC
+connection.
+
+So we need to also support old clients!
Principal Names, long and short names
-------------------------------------