Combined DES salt and Keytab cleanup patch

Andrew Bartlett abartlet at
Fri Jul 14 01:39:18 GMT 2006

On Thu, 2006-07-13 at 20:34 -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Andrew Bartlett wrote:
> >>> * Figure the DES salt based on the domain functional level
> >>>   and UPN (if present and applicable)
> >>> * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
> >>>   keys
> > 
> > Why not just deal with the key as presented?  We have:
> > 
> > smb_krb5_get_keyinfo_from_ap_req(), which returns the enc 
> > type of the incoming ticket.
> Hmmm...Did you read the patch ?  The point was to limit
> the keys in the keytab to enctypes support by AD.
> Not ticket decryption.

Ahh, sorry, it must have been an earlier change.  I was reading the
current code in ads_secrets_verify_ticket().  At one point, that asked
the krb5 code for the list of encryption types, and now it just uses the
types you list above, in a static array.

I just think the 'try to decrypt with every enctype' loop is silly.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.         
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list