[PATCH] Allow Kerberos CHANGEPW request to fallback to TCP

Jeremy Allison jra at samba.org
Wed Mar 22 22:00:46 GMT 2006

On Wed, Mar 22, 2006 at 01:49:48PM -0800, todd stecher wrote:
> The KPASSWD implementation included in Samba 3.x (libads/krb5_setpw.c)
> can easily fail during net ads join operations if the user doing the
> join is a member of > 300 groups.  This is because the MS KDC will
> respond with an error reply of "KRB5KRB_ERR_RESPONSE_TOO_BIG," requiring
> a switch to TCP and a resend of the KPASSWD message.  The current Samba
> codebase does not handle this transition (nor, btw, does the MIT
> Kerberos code).
> The attached patch fixes this problem by:
> 1) Digesting the returned raw KRB_ERROR response from the overly large
> request.
> 2) Switching to TCP (mainly just adding / digesting size bytes prepended
> to the front of the TCP messages, and sending them to the KDC via TCP).

Thanks for this ! Looks nice (except for the C++ style comments :-).

> Couple of notes here:
> 1) The organization I'm working with is using CVS, so I'm not sure how
> compatible this diff is with one generated by SVN (no difference,

Should be the same.

> 2) The code base is roughly the 3.0.11 Samba distribution.  The 3.0.11
> version of krb5_setpw.c is == to the 3.0.21a version, so that should be
> a no-op.

We can work that out and merge across.

> 3) I worked at Microsoft for 9 years, mostly as the primary kerberos /
> spnego developer. I was also intimately familiar with NTLM / SSL / PKI /
> Netlogon / Active Directory development.  I have since moved on to
> independent consulting in the authentication / authorization space, with
> an emphasis on cross platform integration.
> If there's a question of "taint", feel free to deny this patch
> submission - note that I have not worked at MS in this capacity since
> Sep 2004, nor was any MS IP / source code used in the creation of this
> patch.  I spoke offline with Andrew about this issue, and he proposed we
> hash it out in an open forum.

This is a standards based patch to a standards based part of Samba. I don't
think there's a problem with taint or contamination here - I'll look at
merging this so long as no other Samba developer objects.

So long as you don't check-in AD-replication code I'm sure this is ok :-)

I really appreciate the help with this, thanks. 


More information about the samba-technical mailing list