Ideas on the kerberos issues with 3.0.6

Andrew Bartlett abartlet at
Thu Sep 9 12:11:01 GMT 2004

I've been reading some of the bugs with Samba 3.0.6, and it seems that
we could do a few things better.

These are just ideas, but I wanted to put them to the list.

Examining a win2k3 domain controller, I see 

servicePrincipalName: HOST/
servicePrincipalName: HOST/W2003FINAL
servicePrincipalName: HOST/

In our case, we only check (in the session setup kerberos_verify.c code)
HOST/  My vauge understanding of
kerberos tells me that this will work for the 'unsalted' encryption
types (type 23) but not for the older, salted types, which would line up
with the bugs suffered by those with krb5 1.2.

What changed (I think) is that we used to use HOST/W2003FINAL, ie as
used by most netbios connects.  We should add a loop, to check all
registered servicePrincipalNames, and add all of them on the join.

On similar lines, I'm not quite sure what the deal is with CIFS/ - but
when using the keytab, we seem to only use CIFS/ and not HOST/, which
doesn't make much sense.  We should register both, if CIFS/ really has
meaning, and loop over both, for both keytab and secrets based
connections.  (The loop is just a crypto compare, not network traffic,
so it's reasonably cheap).

Anyway, these are just random ideas, in the hope that they might assist
somebody with the time to track this down properly.


Andrew Bartlett

Andrew Bartlett                                 abartlet at
Authentication Developer, Samba Team  
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list