Rewrite the DES salt derivation code

Gerald (Jerry) Carter jerry at
Mon Jul 10 01:02:45 GMT 2006

Hash: SHA1


Here's my rewrite of the "derive-des-salt" code in 3.0.23.
This patch throws away all of the old code and simply
stores DES salting principal based the rules of Windows 2000
and 2003 domains.  We no longer get a service ticket for
ourselves and try to validate it which speeds up the domain
join a good bit.

Also, I've restricted ads_verify_ticket() to DES-CBC-CRC,
DES-CBC-MD5, and RC4-HMAC (if supported).  The reasoning
is that we never store the long term passphrase from
secrets.tdb when joined to a non-MS realm anyways.  So trying
all supported enctypes seems a bit overkill.  My take is
that when joined to a non-MS realm, the keytab is authoritative
and must be managed by the krb5 admin.  For such realms,
you can create entries in the keytab for whatever enctypes
you desire.

This patch has been tested against Windows 2000 & 2003 domains
as well as a Windows 2000 domains with mixed 2000/2003 DCs
testing both with and without UPNs.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -

-------------- next part --------------
 include/rpc_ds.h         |    7 
 libads/kerberos.c        |  580 ++++++++---------------------------------------
 libads/kerberos_keytab.c |    3 
 libads/kerberos_verify.c |   14 -
 libads/ldap.c            |   79 ++++--
 libads/util.c            |    8 
 utils/net_ads.c          |   69 ++++-
 7 files changed, 230 insertions(+), 530 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: des_salt.patch
Type: text/x-patch
Size: 27514 bytes
Desc: not available
Url :

More information about the samba-technical mailing list