Rewrite the DES salt derivation code

[Andrew Bartlett]

On Sun, 2006-07-09 at 20:02 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Folks,
> 
> Here's my rewrite of the "derive-des-salt" code in 3.0.23.
> This patch throws away all of the old code and simply
> stores DES salting principal based the rules of Windows 2000
> and 2003 domains.  We no longer get a service ticket for
> ourselves and try to validate it which speeds up the domain
> join a good bit.
> 
> Also, I've restricted ads_verify_ticket() to DES-CBC-CRC,
> DES-CBC-MD5, and RC4-HMAC (if supported).  The reasoning
> is that we never store the long term passphrase from
> secrets.tdb when joined to a non-MS realm anyways.  So trying
> all supported enctypes seems a bit overkill.  

The only thing is when Samba joins a LongHorn (or Samba4) domain, which
may support AES.

> My take is
> that when joined to a non-MS realm, the keytab is authoritative
> and must be managed by the krb5 admin.  For such realms,
> you can create entries in the keytab for whatever enctypes
> you desire.
> 
> This patch has been tested against Windows 2000 & 2003 domains
> as well as a Windows 2000 domains with mixed 2000/2003 DCs
> testing both with and without UPNs.

Thanks for doing the cleanup here.  It is a mess.  I did a similar thing
in Samba4 (we actually only use a keytab, managed by and pointed at by
secrets.ldb).

I'll probably pinch some of that logic for our join, to make this more
robust.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060710/035022d4/attachment.bin