Combined DES salt and Keytab cleanup patch

Love Hörnquist Åstrand lha at
Thu Jul 13 18:45:04 GMT 2006


> I agree.  it's horrible,  But it's the world we live in.
> We can probably do a better job though.  I'm still working
> on more cleanups.

I'm not horrified, I just don't know how to solve the problem.

> I'm wondering if the name is always canoncalized by the
> AD KDC based on the matching SPN.

The KDC hands back whatever the the client asks for, including weird
case-ing, and its up to the server to do the matching.

So, if you know what matching rules the ms kdc uses, the the servers needs
to use the same. Since the data is backed by ldap, i assume ldap rules to
matches the UPN/SPN.

Other solution is to add a catch all keytab entry that will match all


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 823 bytes
Desc: not available
Url :

More information about the samba-technical mailing list