Custom Samba KPASSWD implementation
Todd Stecher
tstecher at isilon.com
Mon Mar 6 18:56:38 GMT 2006
Why is there a custom Kerberos KPASSWD implementation in SAMBA 3.0.xxx?
The KPASSWD implementation included in SAMBA can easily fail during net
ads join operations if the user doing the join is a member of > 300
groups. This is because the MS KDC will respond with an error reply of
"KRB5KRB_ERR_RESPONSE_TOO_BIG," prompting a switch to TCP for subsequent
KPASSWD messages.
This is also an issue in the MIT Kerberos implementation (changepw.c),
which I have fixed.
It seems like the SAMBA infrastructure should be making direct calls
into the MIT kerberos library for KPASSWD operations - I would like to
make this fix to provide TCP support, but first would like to understand
why the original implementation did not make this cross-library call.
Thanks in advance,
Todd
More information about the samba-technical
mailing list