Rewrite the DES salt derivation code

Andrew Bartlett abartlet at
Mon Jul 10 01:30:13 GMT 2006

On Sun, 2006-07-09 at 20:02 -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Folks,
> Here's my rewrite of the "derive-des-salt" code in 3.0.23.
> This patch throws away all of the old code and simply
> stores DES salting principal based the rules of Windows 2000
> and 2003 domains.  We no longer get a service ticket for
> ourselves and try to validate it which speeds up the domain
> join a good bit.
> Also, I've restricted ads_verify_ticket() to DES-CBC-CRC,
> DES-CBC-MD5, and RC4-HMAC (if supported).  The reasoning
> is that we never store the long term passphrase from
> secrets.tdb when joined to a non-MS realm anyways.  So trying
> all supported enctypes seems a bit overkill.  

The only thing is when Samba joins a LongHorn (or Samba4) domain, which
may support AES.

> My take is
> that when joined to a non-MS realm, the keytab is authoritative
> and must be managed by the krb5 admin.  For such realms,
> you can create entries in the keytab for whatever enctypes
> you desire.
> This patch has been tested against Windows 2000 & 2003 domains
> as well as a Windows 2000 domains with mixed 2000/2003 DCs
> testing both with and without UPNs.

Thanks for doing the cleanup here.  It is a mess.  I did a similar thing
in Samba4 (we actually only use a keytab, managed by and pointed at by

I'll probably pinch some of that logic for our join, to make this more

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list