svn commit: lorikeet r43 - in trunk/heimdal/lib: hdb kadm5

Luke Howard lukeh at PADL.COM
Mon Sep 6 12:22:08 GMT 2004

>It already does that. arcfour-hmac-md5 is NTLM hash as far as I understand
>it, that how you could upgrade from a windows NT4 to a W2K wo having all
>your users change their passwords. Heimdal doesn't support unicode and that
>might be a problem for you.

As Andrew probably has pointed out, the LM OWF is different. There is no
need to deal with this in Kerberos code paths (*), you will probably want
to store it in a separate attribute.

Granted, you do need to set it when changging passwords; one way to solve
this in Heimdal is using the password notification/strength checking API.
In our implementation we ship our own modified kpasswdd (it was the 
easiest way to guarantee atomicity on password change).

>Luke solved the problem with digest-http/digest-md5 by having the kdc also
>store those hashes. I've yet to add that patch since I don't have any
>consumers of the code yet.

Right, our digest pass-through authentication code uses the DIGEST-MD5
and CRAM-MD5 OWFs if available, otherwise if the cleartext password is
available (through the userAccountControl flag) then we use that.

-- Luke

(*) This is not entirely true, you do need the LM OWF for PKINIT; we handle
this in XAD's implementation of PKINIT using the HDB extension API.

More information about the samba-technical mailing list