kerberos private and deprecated functions being used

Andrew Bartlett abartlet at samba.org
Fri Apr 1 21:09:37 GMT 2005 

On Fri, 2005-04-01 at 11:09 -0500, derrell at samba.org wrote:
> Just to ensure that my comment in an svn checking didn't get lost in the
> noise, I'll mention it again here...
> 
> In the process of cleaning up the compiler warnings from the code, I
> discovered that the file libads/sasl.c uses krb5_*() functions that are marked
> as private, and the file libsmb/clikrb5.c uses krb5_*() functions that are
> marked as private and/or deprecated.

This is deliberate.  MIT Kerberos (which is not the only kerberos btw)
has some particular ideas about what applications should and should not
do - ideas not shared by those on the team who needed to implement that
functionality.

I suspect that krb5_set_default_tgs_ktypes() is not required - and I
guess kerberos developers would tell you that this is a config file
issue.  The problem is that for many years, the sample krb5.conf file
did not include the (new with MIT 1.3) arcfour-hmac-md5 encryption type,
so this was unavailable, which caused pain.

These days, jerry suggests a very blank krb5.conf, leaving almost
everything to defaults.

In clikrb5.c, I suspect kerberos developers would tell you that we have
no business delving around in the ticket for the session key, to
implement our own botched up signing mechanism - that's what kerberos is
for.   Back in reality, we need this key data because the raw key values
are used in a number of places, entirely divorced from the kerberos
exchange (smb signing, the session key on ncacn_np pipes).

Regarding the free functions, I suspect this is as much about the fact
that nobody really expected anything other than ktutil to deal with
keytabs in such an intimate manner.  This is memory leak city if not
done properly, so I would consult jra very closely before changing this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050402/18125136/attachment.bin

More information about the samba-technical mailing list