Custom Samba KPASSWD implementation
Andrew Bartlett
abartlet at samba.org
Mon Mar 6 20:04:48 GMT 2006
On Mon, 2006-03-06 at 10:56 -0800, Todd Stecher wrote:
> Why is there a custom Kerberos KPASSWD implementation in SAMBA 3.0.xxx?
>
> The KPASSWD implementation included in SAMBA can easily fail during net
> ads join operations if the user doing the join is a member of > 300
> groups. This is because the MS KDC will respond with an error reply of
> "KRB5KRB_ERR_RESPONSE_TOO_BIG," prompting a switch to TCP for subsequent
> KPASSWD messages.
>
> This is also an issue in the MIT Kerberos implementation (changepw.c),
> which I have fixed.
>
> It seems like the SAMBA infrastructure should be making direct calls
> into the MIT kerberos library for KPASSWD operations - I would like to
> make this fix to provide TCP support, but first would like to understand
> why the original implementation did not make this cross-library call.
From memory, at the time MIT did not support the 0xff80 protocol used by
MS, supporting an administrative password set. We also should direct
the password set to the same DC that we just joined to, so as to avoid
replication delays.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060307/786abe9e/attachment.bin
More information about the samba-technical
mailing list