kerberos_derive_salting_principal() is bogus code
Andrew Bartlett
abartlet at samba.org
Wed Jul 5 23:34:47 GMT 2006
On Wed, 2006-07-05 at 17:42 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeremy Allison wrote:
>
> > What if this were an smbclient kerborized connection
> > using an MIT kdc ? I do recall the person who sent
> > in this code originally was using an MIT kdc (although
> > I could have been mistaken, it was a while ago).
>
> You miss the point though. This is done when running
> 'net ads join'. That code has nothing to do with non-MS
> realms. I'm not saying that DES keys are not useful, I'm
> saying the derive salting principal code is broken on
> systems with RC4-HMAC support.
It was written for old RHEL systems without that support.
Better would be to actually ask for the salt, either by a modified
kerberos API, or volker's mini-krb5 testing implementation, as we only
need to process 2 packets.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060706/7bbe9b69/attachment.bin
More information about the samba-technical
mailing list