Samba-3.0.7-1.3E Active Directory Issues

Jeremy Allison jra at
Wed Oct 27 20:53:14 GMT 2004

On Wed, Oct 27, 2004 at 04:48:21PM -0400, Nalin Dahyabhai wrote:
> On Wed, Oct 27, 2004 at 01:23:04PM -0700, Jeremy Allison wrote:
> > Actually it's a little worse than that. You're also using 
> > 
> > krb5_decode_ticket()
> > 
> > which is also MIT only. What I think I'm going to try and do is
> > change your patch to use more documented calls. Essentially, all
> > you really need to do is for each service_principal/salting_principal
> > pair, create a AP_REQ message using krb5_mk_req_extended() (which we
> > wrap in ads_krb5_mk_req() ) and then check it can be decrypted by
> > krb5_rd_req.
> > 
> > Correct ? This would prevent the problem of using private MIT API's
> > and essentially determine the same thing (correct salt for DES secret
> > key).
> I hadn't considered using mk_req/rd_req that way, but I can't think of
> any reason why it wouldn't work, and it'd probably take less code.  Are
> you already working on such a change, or should I give it a go?

I'm already working on it - but *any* kerberos code is just really painful
and nasty :-) so it may take a little while. BTW, your patch as stands leaks
memory (the enctype array isn't freed). This is usual with kerberos code (I've
never received a kerberos patch that didn't fail valgrind in some way :-) so
I'm going to have to do it 'slow and steady' :-(. I'd appreciate some
feedback though - can I post you my changes as I go and have you review them ?



More information about the samba-technical mailing list