Ideas on the kerberos issues with 3.0.6
abartlet at samba.org
Thu Sep 9 12:11:01 GMT 2004
I've been reading some of the bugs with Samba 3.0.6, and it seems that
we could do a few things better.
These are just ideas, but I wanted to put them to the list.
Examining a win2k3 domain controller, I see
In our case, we only check (in the session setup kerberos_verify.c code)
HOST/w2003final.win2k3.bartlett.house. My vauge understanding of
kerberos tells me that this will work for the 'unsalted' encryption
types (type 23) but not for the older, salted types, which would line up
with the bugs suffered by those with krb5 1.2.
What changed (I think) is that we used to use HOST/W2003FINAL, ie as
used by most netbios connects. We should add a loop, to check all
registered servicePrincipalNames, and add all of them on the join.
On similar lines, I'm not quite sure what the deal is with CIFS/ - but
when using the keytab, we seem to only use CIFS/ and not HOST/, which
doesn't make much sense. We should register both, if CIFS/ really has
meaning, and loop over both, for both keytab and secrets based
connections. (The loop is just a crypto compare, not network traffic,
so it's reasonably cheap).
Anyway, these are just random ideas, in the hope that they might assist
somebody with the time to track this down properly.
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040909/0f0be596/attachment.bin
More information about the samba-technical