Samba-3.0.7-1.3E Active Directory Issues
Nalin Dahyabhai
nalin at redhat.com
Wed Oct 27 20:48:21 GMT 2004
On Wed, Oct 27, 2004 at 01:23:04PM -0700, Jeremy Allison wrote:
> Actually it's a little worse than that. You're also using
>
> krb5_decode_ticket()
>
> which is also MIT only. What I think I'm going to try and do is
> change your patch to use more documented calls. Essentially, all
> you really need to do is for each service_principal/salting_principal
> pair, create a AP_REQ message using krb5_mk_req_extended() (which we
> wrap in ads_krb5_mk_req() ) and then check it can be decrypted by
> krb5_rd_req.
>
> Correct ? This would prevent the problem of using private MIT API's
> and essentially determine the same thing (correct salt for DES secret
> key).
I hadn't considered using mk_req/rd_req that way, but I can't think of
any reason why it wouldn't work, and it'd probably take less code. Are
you already working on such a change, or should I give it a go?
Thanks,
Nalin
More information about the samba-technical
mailing list