Samba-3.0.7-1.3E Active Directory Issues

Nalin Dahyabhai nalin at
Wed Oct 27 20:48:21 GMT 2004

On Wed, Oct 27, 2004 at 01:23:04PM -0700, Jeremy Allison wrote:
> Actually it's a little worse than that. You're also using 
> krb5_decode_ticket()
> which is also MIT only. What I think I'm going to try and do is
> change your patch to use more documented calls. Essentially, all
> you really need to do is for each service_principal/salting_principal
> pair, create a AP_REQ message using krb5_mk_req_extended() (which we
> wrap in ads_krb5_mk_req() ) and then check it can be decrypted by
> krb5_rd_req.
> Correct ? This would prevent the problem of using private MIT API's
> and essentially determine the same thing (correct salt for DES secret
> key).

I hadn't considered using mk_req/rd_req that way, but I can't think of
any reason why it wouldn't work, and it'd probably take less code.  Are
you already working on such a change, or should I give it a go?



More information about the samba-technical mailing list