[PATCH] heimdal fixes for the new keytab code
Gerald (Jerry) Carter
jerry at samba.org
Wed Jul 7 02:19:37 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 6 Jul 2004, Jeremy Allison wrote:
> > * why do we let samba now kinit with HOST/fqdn at REALM, instead of
> > HOST/machine at REALM in security=ads ? the current code does not even create
> > HOST/fqdn at REAM-principals but HOST/fqdn-principals.
> >
> > AFAIK, this will break all existing security=ads installations prior to
> > current svn. We should at least provide an internal upgrade path or describe
> > the to-be-expected-effect in WHATSNEW.TXT. Or am I completely wrong here ?
>
> Can you explain this more clearly. I'm not understanding you here.
> Please explain *exactly* what the problem is.
I'm not sure I see it either. Guenther, can you provide a test case ?
service principals in the keytab have to be fully qualifgied I thought.
While the principal name in the kdc store does not (the realm is implcitly
defined).
> > * The cleanup in libads might be a good chance to apply the remaining
> > parts of
> > the fix for #1208 (fix existing one-direction clock-skew-correction that can
> > lead to infite loops whereever libsmb/clikrb5.c's cli_krb5_get_ticket is
> > used) :)
>
> Is there a patch in that bug report ? I'll take a look if so.
What's left to be done on bug 1208 ? Is the clock skew issue the last
bug? It's unclear to me if that is a real world example or just a loop
error in the code.
cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFA6125IR7qMdg1EfYRApK+AKDABsRxfLZFcjzFiP8QSC4VTzsshQCgvqH3
8RGzQRFoO0H+lUIlaJNBAlI=
=LSaH
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list