kerberos_derive_salting_principal() is bogus code
Gerald (Jerry) Carter
jerry at samba.org
Wed Jul 5 22:40:25 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> Jeremy,
>
> Unless I am badly mistaken, this is cannot work. I've even
> stepped though with gdb and we never actually succeed in derving
> the salting principal for DES keys. Here's why:
>
> kerberos_derive_salting_principal_for_enctype() sends a TGS
> for the proposed service principal and then tries to decrypt
> it with the passed in encytype. The problem
> is that the service ticket will always be sealed with the
> the strongest key associated with the principal which in
> an AD domain is always RC4-HMAC. But we always skip this
> enctype in kerberos_derive_salting_principal_direct().
>
> I just don't see any point to this code at all.
I take it back. If the machine account has the DES_ONLY
flag set, then this code would make sense. But running
it in the presence of RC4-HMAC support does not.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFErD/YIR7qMdg1EfYRAvwaAKCTIo1UJfN52haZKEjhUekKaSOBcgCgubmi
WmR7SyaPavXB3XUstvOVHcs=
=rKO+
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list