Work required before we enable krb5 in default config

Luke Howard lukeh at
Thu Sep 8 15:00:20 GMT 2005

>GSSAPI wrapping (assumed a fixed GSSAPI wrap format):
>The GSSAPI gss_wrap() call isn't suitable for DCE/RPC, so I intend to
>add a new API to put back separate sign/seal interfaces with separate
>signature generation.  This should work with the new AES wrap format.  I
>need to figure out how Microsoft handles this...

I think the gss_wrap_ex() we added should do this, it's sitting in
the mechglue branch of Heimdal.

>We need to ensure that Heimdal doesn't cause us to do blocking DNS
>lookups for domains that may not be kerberised, and in particular for
>the client-side canonicalisation of hostnames (that may not exist in
>DNS).  I don't want to enable this, and have users swearing at DNS

You should be able to disable this entirely in the client library,
it's not necessary with Active Directory because the KDC can do name

-- Luke


More information about the samba-technical mailing list