Catching more principals in ads_keytab_verify_ticket()
Jeremy Allison
jra at samba.org
Sat Mar 12 01:13:25 GMT 2005
On Fri, Mar 11, 2005 at 05:01:14PM -0800, Jeremy Allison wrote:
> On Fri, Mar 11, 2005 at 03:21:51PM -0800, Doug VanLeuven wrote:
> > Jeremy Allison wrote:
> >
> > >On Fri, Mar 11, 2005 at 01:44:41AM -0800, Doug VanLeuven wrote:
> > >
> > >
> > >>Doug VanLeuven wrote:
> > >>
> > >>
> > >>
> > >>>>Even without the global option, updating the static list to include
> > >>>>cifs/<host>.<realm>@<REALM> might help fix bug 2414. I've got a
> > >>>>patch for just that part right now.
> > >>>>
> > >>>>
> > >>>This patch adds these variations to samba managed keytabs:
> > >>><global_myname())>.<REALM>@REALM that Michael Brown noticed
> > >>>and
> > >>><global_myname())>.<realm>@REALM that I'm seeing from Enterprise 2003
> > >>>Native mode for out-of-realm dns domains.
> > >>>
> > >>>
> > >>Ooops. Forgot to attach the patch.
> > >>
> > >>
> > >
> > >Applied, thanks !
> > >
> > >
> > Just a reminder.
> > This patch works in conjunction with Michael Brown's patch to
> > kerberos_verify.c.
> > If you don't want to use that patch, then essentially the same thing
> > needs to be done in kerberos_verify.c for these names to be matched and
> > used there.
>
> Yes, but I can't use his patch as-is due to the memory leak of not freeing
> the keytab entry after reading.
>
> This is why I *hate* kerberos. No one ever writes working kerberos code. Ever.
> Not even me - I bet even when I've fixed it there's another problem somewhere... :-).
>
> I'm re-working the patch right now.
And of course MIT and Heimdal have different requirements for freeing a keytab
entry after iterating it... See the function smb_krb5_kt_free_entry() for details.
Essentially you can't guarentee that a kt_entry is a pointer. It may be a struct,
so you can't assign NULL to it.
I *hate* kerberos :-).
Jeremy.
More information about the samba-technical
mailing list