Betr.: Re: [jcifs] How to retrieve password
Michael B Allen
mba2000 at ioplex.com
Sat Nov 27 09:10:32 GMT 2004
Enrique Rodriguez said:
> Michael B Allen wrote:
>> What you really want is Kerberos. Of course your network and the
>> application has to support it.
> Hi, Mike,
> I wrote a Kerberos server in Java and granted it to the Apache Software
> Foundation. I have since written an RFC 3244 changepw service. I
> originally wrote it against OpenLDAP, but about 2 weeks ago we replaced
> OpenLDAP with a Java LDAP server. We are still working on documentation
> and improving the build process so people can get going with working on
> it all easier, but we are targeting mid-December for a very initial
> "0.05" release. The entire suite is called Apache Directory. If you
> think people on the jCIFS list would find it useful I can announce the
> release there when the time comes.
Absolutely. It's not clear if there is any intersection among the projects
but currently all of my JCIFS time is dedicated to understanding Kerberos,
GSS-API, etc so we're very happy to hear from you.
Actually perhaps you can answer a Kerberos question I have?
You may be aware that MS has included a authorization data field called
the "PAC"  that contains group membership information in the tickets
issued by their KDC implementation. Could you describe how one might
retrieve this block of data?
Someone recently suggested that I just use the shared secret key
(password) to decrypt the ticket. However from reading RFC 1510 I have
reasoned that the field in question is the authorization-data of
enc-part of a ticket. If this is true I believe the RFC claims that
this data is encrypted in the server's secret key in which case I will not
be able to decrypt it.
More information about the jcifs