[PATCH] Joining a Windows Server 2008 (Longhorn)

Andrew Bartlett abartlet at samba.org
Wed Jan 30 00:11:20 GMT 2008


On Mon, 2008-01-28 at 11:25 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Gerald (Jerry) Carter wrote:
> 
> > Pretty sure this has to do with the advertized enc types and
> > the one selected by the DC.    The successful TGS reply on
> > openSUSE client uses RC4-HMAC.  But on the failed cases,
> > the TGS reply is using AES.  I think we are just not handling
> > the user session correctly with AES.  But I'm still looking.
> 
> ok.  Until we figure out the AES session key issue, I've
> restricted enctypes in the krb5.conf that we create to the 3
> types supported by Windows 2003.  I'll push the patch upstream
> soon and if would be good to get a second confirmation that
> it solves the problem.

The AES session key is longer - 32 bytes I think.  This also comes up in
the smb signing case.  Samba4 has this working (which is where I came
across this first, when we moved to a Heimdal KDC that supported AES
created the longer session keys)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080130/a18e9528/attachment.bin


More information about the samba-technical mailing list