[SCM] Samba Shared Repository - branch v4-0-test updated - release-4-0-0alpha5-243-gfcabe24

Stefan (metze) Metzmacher metze at samba.org
Thu Aug 14 11:26:59 GMT 2008

Love Hörnquist Åstrand schrieb:
>> commit dbb94133e0313cae933d261af0bf1210807a6d11
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date:   Fri Aug 8 15:22:39 2008 +0200
>>    krb5: always generate the acceptor subkey as the same enctype as
>> the used service key
> Why doesn't the client use the acceptor subkey ?

The problem was that the client calls gsskrb5_get_subkey() after the
first call to gss_init_sec_context() (and cached it), so the acceptor
subkey has no chance to be there...

I also found that windows always creates a acceptor subkey, but for
older enctypes it's the same as the intiator subkey.

Also windows as server doesn't return an AES subkey if the client
indicates support for it. However windows as client seems to accept a
server doing so.

It would be nice to be able to configure the "upgrade" to an AES subkey
via some api call. Maybe as option on the acceptor gss_cred_id_t.

It would also be nice to control the enctype list on the client side,
for the AP-REQ.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20080814/773e2bfc/signature.bin

More information about the samba-technical mailing list