Samba-3.0.7-1.3E Active Directory Issues
Jeremy Allison
jra at samba.org
Wed Oct 27 20:23:04 GMT 2004
On Wed, Oct 27, 2004 at 02:51:10PM -0400, Nalin Dahyabhai wrote:
> >
> > krb5_decrypt_tkt_part()
> > krb5_c_enctype_compare()
> >
> > which don't exist in Heimdal (the kerberos used on SuSE and others).
> > I'm going to have to fix this before I can commit the patch (but please
> > coodinate with me if you're making other changes to the keytab patch,
> > as I'm half way through the integration work now).
>
> I realized that this might become a problem part of the way through, but
> must have forgotten about it later on. I don't think the keytab patch
> is going to need any changes from a functional standpoint, but if I can
> help out with the changes needed to make it compile with Heimdal, I can
> take a stab at it.
Actually it's a little worse than that. You're also using
krb5_decode_ticket()
which is also MIT only. What I think I'm going to try and do is
change your patch to use more documented calls. Essentially, all
you really need to do is for each service_principal/salting_principal
pair, create a AP_REQ message using krb5_mk_req_extended() (which we
wrap in ads_krb5_mk_req() ) and then check it can be decrypted by
krb5_rd_req.
Correct ? This would prevent the problem of using private MIT API's
and essentially determine the same thing (correct salt for DES secret
key).
Let me know what you think.
Jeremy.
More information about the samba-technical
mailing list