[PATCH] heimdal fixes for the new keytab code

Gerald (Jerry) Carter jerry at samba.org
Wed Jul 7 02:19:37 GMT 2004

Hash: SHA1

On Tue, 6 Jul 2004, Jeremy Allison wrote:

> > * why do we let samba now kinit with HOST/fqdn at REALM, instead of
> >   HOST/machine at REALM in security=ads ? the current code does not even create 
> >   HOST/fqdn at REAM-principals but HOST/fqdn-principals.
> > 
> >   AFAIK, this will break all existing security=ads installations prior to
> >   current svn. We should at least provide an internal upgrade path or describe
> >   the to-be-expected-effect in WHATSNEW.TXT. Or am I completely wrong here ?
> Can you explain this more clearly. I'm not understanding you here.
> Please explain *exactly* what the problem is.

I'm not sure I see it either.  Guenther, can you provide a test case ?
service principals in the keytab have to be fully qualifgied I thought.
While the principal name in the kdc store does not (the realm is implcitly 

> > * The cleanup in libads might be a good chance to apply the remaining
> > parts of
> >   the fix for #1208 (fix existing one-direction clock-skew-correction that can
> >   lead to infite loops whereever libsmb/clikrb5.c's cli_krb5_get_ticket is
> >   used) :)
> Is there a patch in that bug report ? I'll take a look if so.

What's left to be done on bug 1208 ?  Is the clock skew issue the last 
bug?  It's unclear to me if that is a real world example or just a loop 
error in the code.

cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting 
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/


More information about the samba-technical mailing list