[PATCH] ADS changes for joining accounts w/o full Administrator rights

Antti Andreimann Antti.Andreimann at mail.ee
Wed Feb 12 11:16:57 GMT 2003

Ühel kenal päeval (kolmapäev, 12. veebruar 2003 00:16) kirjutas Andrew 
> I think we need to do a few things here:
>  - We should record the principal name we joined with, and only ever
> send that to our clients.

That's a good idea. I'll look into it hopefully sometime during this week.

> should add a typedef from krb5_error to somthing harmless, or better
> still look into our ADS_ERROR stuff (partly created for exactly this
> kind of thing).  Returning an ADS_ERROR would probably be the best
> solution here.

Nope, that's not possible. The function is passed to 
krb5_get_init_creds_password as a pointer to function and the prototype is 
therefore dictated by kerberos libs. This could be overriden by some clever 
use of typecasts but this would be an ugly hack in my opinion.

> Well, I don't think this is sufficient reason not to do this properly.
> Duplicated code *will* break as two slightly different versions emerge.

Well I do agree. Now that I have an official permission to hack the build 
system I'll happily do it ;)
However a thought came to me last night that maybe this function is not needed 
after all. It's there as a workaround to a bug/feature (go figure ;) in 
kerberos libs but I think I know an easier way to solve it. I just have to 
test if it works.

         Antti Andreimann
      Using Linux since 1993
  Member of ELUG since 29.01.2000

More information about the samba-technical mailing list