Samba-3.0.7-1.3E Active Directory Issues
Jeremy Allison
jra at samba.org
Wed Oct 27 00:47:27 GMT 2004
On Tue, Oct 26, 2004 at 04:25:56PM -0400, Nalin Dahyabhai wrote:
> BTW, I'm using a test program I've placed on people.redhat.com [2] to
> obtain credentials for services and verify them with the machine
> password -- most of the additional guesses which the patch now makes are
> things that I stumbled onto while continuing to test things. It's been
> very helpful in determining what's happening on the KDC.
>
> One more, unrelated, issue that I've run into is that SMB signing
> doesn't seem to work quite right if the session key which the client and
> server negotiate is a DES key. After some guessing, it looks as though
> the key either needs to be at least 128 bits long, or it needs to be
> padded with zeros to make it seem so [3].
>
> Further feedback is still appreciated.
>
> Thanks,
>
> Nalin
>
> [1] http://people.redhat.com/nalin/test/samba-3.0.8pre1-salt-5.patch
> [2] http://people.redhat.com/nalin/test/ktverify-0.0.tar.gz
> [3] http://people.redhat.com/nalin/test/samba-3.0.8pre1-signing-shortkey.patch
Nalin,
Just wanted to let you know that I'm integrating and testing
these for Samba 3.0.8 right now - we're not dropping them. Thanks a *lot*
for all your work on this.
The only problem right now is you're using a couple of MIT-only interfaces
krb5_decrypt_tkt_part()
krb5_c_enctype_compare()
which don't exist in Heimdal (the kerberos used on SuSE and others).
I'm going to have to fix this before I can commit the patch (but please
coodinate with me if you're making other changes to the keytab patch,
as I'm half way through the integration work now).
I don't like to usually just "patch <input" a patch as I need to
understand it fully (especially in the kerberos code :-), so it can
take a little time to integrate something.
Also I need to valgrind it thoroughly :-).
Thanks,
Jeremy.
More information about the samba-technical
mailing list