kerberos_derive_salting_principal() is bogus code

Gerald (Jerry) Carter jerry at
Wed Jul 5 22:40:25 GMT 2006

Hash: SHA1

Gerald (Jerry) Carter wrote:
> Jeremy,
> Unless I am badly mistaken, this is cannot work.  I've even
> stepped though with gdb and we never actually succeed in derving
> the salting principal for DES keys.  Here's why:
> kerberos_derive_salting_principal_for_enctype() sends a TGS
> for the proposed service principal and then tries to decrypt
> it with the passed in encytype.  The problem
> is that the service ticket will always be sealed with the
> the strongest key associated with the principal which in
> an AD domain is always RC4-HMAC.  But we always skip this
> enctype in kerberos_derive_salting_principal_direct().
> I just don't see any point to this code at all.

I take it back. If the machine account has the DES_ONLY
flag set, then this code would make sense.  But running
it in the presence of RC4-HMAC support does not.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list