svn commit: samba r21436 - in branches/SAMBA_4_0/source/heimdal/kdc: .

Love Hörnquist Åstrand lha at
Thu Feb 22 00:44:10 GMT 2007

19 feb 2007 kl. 10.27 skrev metze at

> Author: metze
> Date: 2007-02-18 23:27:42 +0000 (Sun, 18 Feb 2007)
> New Revision: 21436
> WebSVN: 
> view=rev&root=samba&rev=21436
> Log:
> Choose the TGT session key enctype also by checking what enctypes
> the krbtgt hdb entry provides.
> We need to make sure other KDC's with the same hdb backend data
> can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac- 
> sha1-96 (18)
> session keys.)
> Love: I'm not sure if this is the correct way of doing it...

Its the correct way to doing it.

The problem is that you don't get better security then your krbtgt  
and there
is no good tool to add an enctype to an entry. That is, unless you,  
like me, think
kadmin dump bar ; grep krbgtb/REALM at RELAM bar > foo ; emacs foo ;  
kadmin merge foo
is a prefect good way to change your database.

I guess this show that there is a real need for such a tool,
there is a kadmin del_enctype, but no kadmin add_enctype.

I make a commit that is diffrent, it uses the expliti list of keys  
instead of etype list,
is that ok with you ?


More information about the samba-technical mailing list