[PATCH] ADS changes for joining accounts w/o full Administrator rights

Andrew Bartlett abartlet at samba.org
Wed Feb 12 11:37:08 GMT 2003 

On Wed, 2003-02-12 at 22:16, Antti Andreimann wrote:
> Ühel kenal päeval (kolmapäev, 12. veebruar 2003 00:16) kirjutas Andrew 
> Bartlett:
> > I think we need to do a few things here:
> >  - We should record the principal name we joined with, and only ever
> > send that to our clients.
> 
> That's a good idea. I'll look into it hopefully sometime during this week.
> 
> > should add a typedef from krb5_error to somthing harmless, or better
> > still look into our ADS_ERROR stuff (partly created for exactly this
> > kind of thing).  Returning an ADS_ERROR would probably be the best
> > solution here.
> 
> Nope, that's not possible. The function is passed to 
> krb5_get_init_creds_password as a pointer to function and the prototype is 
> therefore dictated by kerberos libs. This could be overriden by some clever 
> use of typecasts but this would be an ugly hack in my opinion.

In that case, then the usual course of action is to manually prototype
the particular function, so that it only appears when WITH_KRB5 is set. 
But looking at the patch again, I don't see why you can't just call
kerberos_kinit_password() directly.

> > Well, I don't think this is sufficient reason not to do this properly.
> > Duplicated code *will* break as two slightly different versions emerge.
> 
> Well I do agree. Now that I have an official permission to hack the build 
> system I'll happily do it ;)
> However a thought came to me last night that maybe this function is not needed 
> after all. It's there as a workaround to a bug/feature (go figure ;) in 
> kerberos libs but I think I know an easier way to solve it. I just have to 
> test if it works.

I look forward to it :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030212/a04e9adb/attachment.bin

More information about the samba-technical mailing list