svn commit: samba r16952 - branches/SAMBA_3_0/source/include
branches/SAMBA_3_0/source/libads
branches/SAMBA_3_0/source/utils trunk/source/include
trunk/source/libads trunk/source/utils
jerry at samba.org
jerry at samba.org
Tue Jul 11 18:45:25 GMT 2006
Author: jerry
Date: 2006-07-11 18:45:22 +0000 (Tue, 11 Jul 2006)
New Revision: 16952
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16952
Log:
New derive DES salt code and Krb5 keytab generation
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org at COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org at COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org at COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10 at COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10 at COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10 at COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
Modified:
branches/SAMBA_3_0/source/include/rpc_ds.h
branches/SAMBA_3_0/source/libads/kerberos.c
branches/SAMBA_3_0/source/libads/kerberos_keytab.c
branches/SAMBA_3_0/source/libads/kerberos_verify.c
branches/SAMBA_3_0/source/libads/ldap.c
branches/SAMBA_3_0/source/libads/util.c
branches/SAMBA_3_0/source/utils/net_ads.c
trunk/source/include/rpc_ds.h
trunk/source/libads/kerberos.c
trunk/source/libads/kerberos_keytab.c
trunk/source/libads/kerberos_verify.c
trunk/source/libads/ldap.c
trunk/source/libads/util.c
trunk/source/utils/net_ads.c
Changeset:
Sorry, the patch is too large (3275 lines) to include; please use WebSVN to see it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16952
More information about the samba-cvs
mailing list