[PATCH] heimdal fixes for the new keytab code

Jeremy Allison jra at samba.org
Tue Jul 6 22:46:35 GMT 2004


On Tue, Jul 06, 2004 at 12:27:25PM +0200, Guenther Deschner wrote:
> 
> There are still some small issues, I'm afraid ;-)
> 
> * why do we let samba now kinit with HOST/fqdn at REALM, instead of
>   HOST/machine at REALM in security=ads ? the current code does not even create 
>   HOST/fqdn at REAM-principals but HOST/fqdn-principals.
> 
>   AFAIK, this will break all existing security=ads installations prior to
>   current svn. We should at least provide an internal upgrade path or describe
>   the to-be-expected-effect in WHATSNEW.TXT. Or am I completely wrong here ?

Can you explain this more clearly. I'm not understanding you here. Please explain
*exactly* what the problem is.

> * The cleanup in libads might be a good chance to apply the remaining parts of
>   the fix for #1208 (fix existing one-direction clock-skew-correction that can
>   lead to infite loops whereever libsmb/clikrb5.c's cli_krb5_get_ticket is
>   used) :)

Is there a patch in that bug report ? I'll take a look if so.

> * with the keytab-patch several initialize_krb5_error_tables slipped in. This
>   is only needed for Heimdal Kerberos, we should provide another abstraction
>   function for that later on.

Yeah, I wasn't sure about that but it doesn't seem to be a problem for MIT.

> * ads_keytab_create_default should not return it's last error-code (that is
>   always non-0, at least in Heimdal) (attached)

Ok, thanks - I'll look at this.

Jeremy.


More information about the samba-technical mailing list