[PATCH] heimdal fixes for the new keytab code
Jeremy Allison
jra at samba.org
Tue Jul 6 22:46:35 GMT 2004
On Tue, Jul 06, 2004 at 12:27:25PM +0200, Guenther Deschner wrote:
>
> There are still some small issues, I'm afraid ;-)
>
> * why do we let samba now kinit with HOST/fqdn at REALM, instead of
> HOST/machine at REALM in security=ads ? the current code does not even create
> HOST/fqdn at REAM-principals but HOST/fqdn-principals.
>
> AFAIK, this will break all existing security=ads installations prior to
> current svn. We should at least provide an internal upgrade path or describe
> the to-be-expected-effect in WHATSNEW.TXT. Or am I completely wrong here ?
Can you explain this more clearly. I'm not understanding you here. Please explain
*exactly* what the problem is.
> * The cleanup in libads might be a good chance to apply the remaining parts of
> the fix for #1208 (fix existing one-direction clock-skew-correction that can
> lead to infite loops whereever libsmb/clikrb5.c's cli_krb5_get_ticket is
> used) :)
Is there a patch in that bug report ? I'll take a look if so.
> * with the keytab-patch several initialize_krb5_error_tables slipped in. This
> is only needed for Heimdal Kerberos, we should provide another abstraction
> function for that later on.
Yeah, I wasn't sure about that but it doesn't seem to be a problem for MIT.
> * ads_keytab_create_default should not return it's last error-code (that is
> always non-0, at least in Heimdal) (attached)
Ok, thanks - I'll look at this.
Jeremy.
More information about the samba-technical
mailing list