[PATCH] heimdal fixes for the new keytab code

Guenther Deschner gd at sernet.de
Tue Jul 6 10:27:25 GMT 2004

Hi Jeremy,

On Thu, Jun 24, 2004 at 02:27:14PM -0700, Jeremy Allison wrote:
> Ok, I've finished the changes and the current SVN source code
> compiles with Heimdal. If you could test it I'd appreciate
> it.

Thank you, Jeremy.

There are still some small issues, I'm afraid ;-)

* why do we let samba now kinit with HOST/fqdn at REALM, instead of
  HOST/machine at REALM in security=ads ? the current code does not even create 
  HOST/fqdn at REAM-principals but HOST/fqdn-principals.

  AFAIK, this will break all existing security=ads installations prior to
  current svn. We should at least provide an internal upgrade path or describe
  the to-be-expected-effect in WHATSNEW.TXT. Or am I completely wrong here ?

* The cleanup in libads might be a good chance to apply the remaining parts of
  the fix for #1208 (fix existing one-direction clock-skew-correction that can
  lead to infite loops whereever libsmb/clikrb5.c's cli_krb5_get_ticket is
  used) :)

* with the keytab-patch several initialize_krb5_error_tables slipped in. This
  is only needed for Heimdal Kerberos, we should provide another abstraction
  function for that later on.

* ads_keytab_create_default should not return it's last error-code (that is
  always non-0, at least in Heimdal) (attached)

Thanks a lot,

Guenther Deschner, SerNet Service Network GmbH
Phone: +49-(0)551-370000-0,  Fax: +49-(0)551-370000-9
-------------- next part --------------
Index: source/libads/kerberos_keytab.c
--- source/libads/kerberos_keytab.c	(revision 1287)
+++ source/libads/kerberos_keytab.c	(working copy)
@@ -479,7 +479,7 @@
 	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
 	if (ret != KRB5_KT_END && ret != ENOENT ) {
-		while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
+		while ((krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
 			if (kt_entry.vno != kvno) {
 				char *ktprinc = NULL;
 				char *p;

More information about the samba-technical mailing list