Combined DES salt and Keytab cleanup patch

Dave Daugherty dave.daugherty at
Thu Jul 13 23:45:35 GMT 2006

Love Hörnquist Åstrand Sent: Thursday, July 13, 2006 11:45 AM

> Jerry,

> > I agree.  it's horrible,  But it's the world we live in.
> > We can probably do a better job though.  I'm still working
> > on more cleanups.

> I'm not horrified, I just don't know how to solve the problem.

> > I'm wondering if the name is always canoncalized by the
> > AD KDC based on the matching SPN.

> The KDC hands back whatever the the client asks for, including weird
> case-ing, and its up to the server to do the matching.

> So, if you know what matching rules the ms kdc uses, the the servers needs
> to use the same. Since the data is backed by ldap, i assume ldap rules to
> matches the UPN/SPN.

> Other solution is to add a catch all keytab entry that will match all
> entries.

> Love

Jerry if it helps your decision making process...

Remember that we only deal with MIT Kerberos 1.35 and above...

Each time the computer account password is changed, we rev the KVNO (if its win2k3), delete older KVNOs and generate new keytab keys by reading the SPNs from the computer account and adding DES and RC4 Keys for the new KVNO.  We don't worry about case.  We don't have near the install base of Samba, but so far I don't know of anyone we are breaking.

Dave Daugherty
Centrify Corp.

More information about the samba-technical mailing list