summaries krb5 keytab requirements

Gerald (Jerry) Carter jerry at
Fri May 19 15:41:39 GMT 2006

Hash: SHA1

I'm trying to wrap my head around all of the past issues
that have caused our krb5 code to look like it does today
(with hopes of cleaning things up).  These are my random
thoughts.  Please correct me if I am wrong on any point.

We only need to derive the Salt for DES keys if we are in an
AD domain and if the account has the USE_DES_KEYS flags set.
Otherwise, service tickets are always encrypted with RC4-HMAC.
This will make a lot of of the loops in derive_salting_for_principal()
go away.  The principals names used for salting DES keys are:

SPN values
The CIFS/machine principal name is unnecessary in AD (even though
clients ask for it):

dNSHostName & SPN
See this on the relationship between the dNSHostName and SPN
values and the "VAlidated write" access permission.

kinit -k
This does not require a UPN, but can use the sAMAccountName

SPN case insensitivity from Windows XP clients in MIT realms

I'm not really sure what to do here.  The real fix it seems
would be to simply canonicalize the SPN by the TGS before granted
in the service ticket.  It seems that string a vast amount of
possible SPNs in /etc/krb5.keytab is really ugly.

- -- cheers, jerry

$ cat ~/.signature
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list