From 79c1c76b26a531bba02503f26158f189cfb32560 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 7 Aug 2005 20:34:38 +0000 Subject: r9196: - add a note about the Canonicalize KDCOPtion flag - add a note about old client using the wrong checksum type for GSSAPI in the Authenticator metze (This used to be commit 07e39bd94c3ce4d255e6cf6e68dc438bb5c9f9e6) --- source4/auth/kerberos/kerberos-notes.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'source4/auth') diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index 24e6ad2403..a9b62742fe 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -45,6 +45,21 @@ realm to what the client asked for, even just in case differences. Heimdal has the same problem, and this applies to the krb5 layer, not just gssapi. +We need to test if the canonicalisation is controlled by the KDCOption +flags, windows always sends the Canonicalize flags + +Old Clients (samba3 and HPUX clients) uses 'selfmade' gssapi/krb5 +for using it in the CIFS session setup. Because they use krb5_mk_req() +they get a chksum field depending on the encryption type, but that's wrong +for GSSAPI (see rfc 1964 section 1.1.1). The Cheksum type 8003 +should be used in the Authenticator of the AP-REQ! That allows the channel bindings, +the GCC_C_* req_flags and optional delegation tickets to be passed from the client to the server. +Hower windows doesn't seems to care about if the checksum is of the wrong type, +for CIFS SessionSetups, it seems that the req_flags are just set to 0. +So this can't work for LDAP connections with sign or seal, or for any DCERPC +connection. + +So we need to also support old clients! Principal Names, long and short names ------------------------------------- -- cgit