Custom Samba KPASSWD implementation

Todd Stecher tstecher at
Mon Mar 6 18:56:38 GMT 2006

Why is there a custom Kerberos KPASSWD implementation in SAMBA

The KPASSWD implementation included in SAMBA can easily fail during net
ads join operations if the user doing the join is a member of > 300
groups.  This is because the MS KDC will respond with an error reply of
"KRB5KRB_ERR_RESPONSE_TOO_BIG," prompting a switch to TCP for subsequent
KPASSWD messages.

This is also an issue in the MIT Kerberos implementation (changepw.c),
which I have fixed.  

It seems like the SAMBA infrastructure should be making direct calls
into the MIT kerberos library for KPASSWD operations - I would like to
make this fix to provide TCP support, but first would like to understand
why the original implementation did not make this cross-library call.

Thanks in advance,



More information about the samba-technical mailing list