Custom Samba KPASSWD implementation

Andrew Bartlett abartlet at
Mon Mar 6 20:04:48 GMT 2006

On Mon, 2006-03-06 at 10:56 -0800, Todd Stecher wrote:
> Why is there a custom Kerberos KPASSWD implementation in SAMBA
> The KPASSWD implementation included in SAMBA can easily fail during net
> ads join operations if the user doing the join is a member of > 300
> groups.  This is because the MS KDC will respond with an error reply of
> "KRB5KRB_ERR_RESPONSE_TOO_BIG," prompting a switch to TCP for subsequent
> KPASSWD messages.
> This is also an issue in the MIT Kerberos implementation (changepw.c),
> which I have fixed.  
> It seems like the SAMBA infrastructure should be making direct calls
> into the MIT kerberos library for KPASSWD operations - I would like to
> make this fix to provide TCP support, but first would like to understand
> why the original implementation did not make this cross-library call.

From memory, at the time MIT did not support the 0xff80 protocol used by
MS, supporting an administrative password set.  We also should direct
the password set to the same DC that we just joined to, so as to avoid
replication delays.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list