Work required before we enable krb5 in default config

Andrew Bartlett abartlet at
Thu Sep 8 10:08:12 GMT 2005

Particularly with the recent PAC work done, we are now much, much closer
to enabling the gensec_gssapi module by default, and therefore to
transparently handling kerberos.

The things that I see as TODO are in two categories:  AES and DNS

By using the AES encryption types, we change the properties of GSSAPI
and kerberos, in ways that break more fragile bits of Samba.  These are:

PAC signatures (assumes a 16 byte key):
The PAC parsing and verification code we have at the moment relies on
fixed offsets into the end of the PAC bugg

 - GSSAPI wrapping (assumed a fixed GSSAPI wrap format)

Both of these can be fixed (a 'mere matter of programming').

Andrew Bartlett
Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list