kerberos_derive_salting_principal() is bogus code

Andrew Bartlett abartlet at
Wed Jul 5 23:34:47 GMT 2006

On Wed, 2006-07-05 at 17:42 -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Jeremy Allison wrote:
> > What if this were an smbclient kerborized connection
> > using an MIT kdc ? I do recall the person who sent
> > in this code originally was using an MIT kdc (although
> > I could have been mistaken, it was a while ago).
> You miss the point though.  This is done when running
> 'net ads join'.  That code has nothing to do with non-MS
> realms.  I'm not saying that DES keys are not useful, I'm
> saying the derive salting principal code is broken on
> systems with RC4-HMAC support.

It was written for old RHEL systems without that support.

Better would be to actually ask for the salt, either by a modified
kerberos API, or volker's mini-krb5 testing implementation, as we only
need to process 2 packets.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list