Security with Samba 3.0 and Kerberos

Andrew Bartlett abartlet at
Sun Apr 6 03:19:40 GMT 2003

On Sun, 2003-04-06 at 09:09, Love wrote:
> Andrew Bartlett <abartlet at> writes:
> > On Sat, 2003-04-05 at 10:15, Luke Howard wrote:
> >> 
> >> Also, historically it's the responsibility of the Kerberos client
> >> library to manage a replay cache. I don't believe Heimdal has one,
> >> though.
> >
> > So where would it normally maintain such a cache?  In-memory won't work
> > due to the fork()ed nature of smbd...
> >
> > It would be good to be able to address this somehow.
> (In MIT) its in a file, its parsed when the process starts and then written
> the file (and stored in a hash) for each requst. Each request checks the
> hash before inserting the request.
> So, in a forked architeture you'll have problems if the process can handle
> multiple requests.

Yes, Samba can authenticated multiple users in a single smbd process.  

> You can register your own reply cache operations in the kerberos lib,
> however this is undocumented.
> Heimdal includes a reply-cache, but it disable by default.

How do you suggest we best deal with this?

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list