Rewrite the DES salt derivation code
abartlet at samba.org
Mon Jul 10 01:30:13 GMT 2006
On Sun, 2006-07-09 at 20:02 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Here's my rewrite of the "derive-des-salt" code in 3.0.23.
> This patch throws away all of the old code and simply
> stores DES salting principal based the rules of Windows 2000
> and 2003 domains. We no longer get a service ticket for
> ourselves and try to validate it which speeds up the domain
> join a good bit.
> Also, I've restricted ads_verify_ticket() to DES-CBC-CRC,
> DES-CBC-MD5, and RC4-HMAC (if supported). The reasoning
> is that we never store the long term passphrase from
> secrets.tdb when joined to a non-MS realm anyways. So trying
> all supported enctypes seems a bit overkill.
The only thing is when Samba joins a LongHorn (or Samba4) domain, which
may support AES.
> My take is
> that when joined to a non-MS realm, the keytab is authoritative
> and must be managed by the krb5 admin. For such realms,
> you can create entries in the keytab for whatever enctypes
> you desire.
> This patch has been tested against Windows 2000 & 2003 domains
> as well as a Windows 2000 domains with mixed 2000/2003 DCs
> testing both with and without UPNs.
Thanks for doing the cleanup here. It is a mess. I did a similar thing
in Samba4 (we actually only use a keytab, managed by and pointed at by
I'll probably pinch some of that logic for our join, to make this more
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060710/035022d4/attachment.bin
More information about the samba-technical