svn commit: samba r16952 - branches/SAMBA_3_0/source/include branches/SAMBA_3_0/source/libads branches/SAMBA_3_0/source/utils trunk/source/include trunk/source/libads trunk/source/utils

jerry at samba.org jerry at samba.org
Tue Jul 11 18:45:25 GMT 2006


Author: jerry
Date: 2006-07-11 18:45:22 +0000 (Tue, 11 Jul 2006)
New Revision: 16952

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16952

Log:
New derive DES salt code and Krb5 keytab generation

Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org at COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org at COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org at COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10 at COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10 at COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10 at COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has 
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket() 
continues to work with RC4-HMAC and DES keys.


Modified:
   branches/SAMBA_3_0/source/include/rpc_ds.h
   branches/SAMBA_3_0/source/libads/kerberos.c
   branches/SAMBA_3_0/source/libads/kerberos_keytab.c
   branches/SAMBA_3_0/source/libads/kerberos_verify.c
   branches/SAMBA_3_0/source/libads/ldap.c
   branches/SAMBA_3_0/source/libads/util.c
   branches/SAMBA_3_0/source/utils/net_ads.c
   trunk/source/include/rpc_ds.h
   trunk/source/libads/kerberos.c
   trunk/source/libads/kerberos_keytab.c
   trunk/source/libads/kerberos_verify.c
   trunk/source/libads/ldap.c
   trunk/source/libads/util.c
   trunk/source/utils/net_ads.c


Changeset:
Sorry, the patch is too large (3275 lines) to include; please use WebSVN to see it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16952


More information about the samba-cvs mailing list