Rewrite the DES salt derivation code

Gerald (Jerry) Carter jerry at samba.org
Mon Jul 10 01:02:45 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

Here's my rewrite of the "derive-des-salt" code in 3.0.23.
This patch throws away all of the old code and simply
stores DES salting principal based the rules of Windows 2000
and 2003 domains.  We no longer get a service ticket for
ourselves and try to validate it which speeds up the domain
join a good bit.

Also, I've restricted ads_verify_ticket() to DES-CBC-CRC,
DES-CBC-MD5, and RC4-HMAC (if supported).  The reasoning
is that we never store the long term passphrase from
secrets.tdb when joined to a non-MS realm anyways.  So trying
all supported enctypes seems a bit overkill.  My take is
that when joined to a non-MS realm, the keytab is authoritative
and must be managed by the krb5 admin.  For such realms,
you can create entries in the keytab for whatever enctypes
you desire.

This patch has been tested against Windows 2000 & 2003 domains
as well as a Windows 2000 domains with mixed 2000/2003 DCs
testing both with and without UPNs.






cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEsac0IR7qMdg1EfYRAs0mAJwKDldy7x62oDbmhJEEiiLp7MQX3wCdH4My
I0Fj4oW+TfXY6Q98cIZ+eMM=
=TKyK
-----END PGP SIGNATURE-----
-------------- next part --------------
 include/rpc_ds.h         |    7 
 libads/kerberos.c        |  580 ++++++++---------------------------------------
 libads/kerberos_keytab.c |    3 
 libads/kerberos_verify.c |   14 -
 libads/ldap.c            |   79 ++++--
 libads/util.c            |    8 
 utils/net_ads.c          |   69 ++++-
 7 files changed, 230 insertions(+), 530 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: des_salt.patch
Type: text/x-patch
Size: 27514 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060709/06d40676/des_salt.bin


More information about the samba-technical mailing list