Catching more principals in ads_keytab_verify_ticket()
Jeremy Allison
jra at samba.org
Sat Mar 12 01:01:14 GMT 2005
On Fri, Mar 11, 2005 at 03:21:51PM -0800, Doug VanLeuven wrote:
> Jeremy Allison wrote:
>
> >On Fri, Mar 11, 2005 at 01:44:41AM -0800, Doug VanLeuven wrote:
> >
> >
> >>Doug VanLeuven wrote:
> >>
> >>
> >>
> >>>>Even without the global option, updating the static list to include
> >>>>cifs/<host>.<realm>@<REALM> might help fix bug 2414. I've got a
> >>>>patch for just that part right now.
> >>>>
> >>>>
> >>>This patch adds these variations to samba managed keytabs:
> >>><global_myname())>.<REALM>@REALM that Michael Brown noticed
> >>>and
> >>><global_myname())>.<realm>@REALM that I'm seeing from Enterprise 2003
> >>>Native mode for out-of-realm dns domains.
> >>>
> >>>
> >>Ooops. Forgot to attach the patch.
> >>
> >>
> >
> >Applied, thanks !
> >
> >
> Just a reminder.
> This patch works in conjunction with Michael Brown's patch to
> kerberos_verify.c.
> If you don't want to use that patch, then essentially the same thing
> needs to be done in kerberos_verify.c for these names to be matched and
> used there.
Yes, but I can't use his patch as-is due to the memory leak of not freeing
the keytab entry after reading.
This is why I *hate* kerberos. No one ever writes working kerberos code. Ever.
Not even me - I bet even when I've fixed it there's another problem somewhere... :-).
I'm re-working the patch right now.
Jeremy.
More information about the samba-technical
mailing list