Combined DES salt and Keytab cleanup patch
Andrew Bartlett
abartlet at samba.org
Fri Jul 14 01:39:18 GMT 2006
On Thu, 2006-07-13 at 20:34 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Bartlett wrote:
>
> >>> * Figure the DES salt based on the domain functional level
> >>> and UPN (if present and applicable)
> >>> * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
> >>> keys
> >
> > Why not just deal with the key as presented? We have:
> >
> > smb_krb5_get_keyinfo_from_ap_req(), which returns the enc
> > type of the incoming ticket.
>
> Hmmm...Did you read the patch ? The point was to limit
> the keys in the keytab to enctypes support by AD.
> Not ticket decryption.
Ahh, sorry, it must have been an earlier change. I was reading the
current code in ads_secrets_verify_ticket(). At one point, that asked
the krb5 code for the list of encryption types, and now it just uses the
types you list above, in a static array.
I just think the 'try to decrypt with every enctype' loop is silly.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060714/86a5ccc6/attachment.bin
More information about the samba-technical
mailing list