Client side matching call for gsskrb5_get_subkey()

Andrew Bartlett abartlet at
Tue Jul 22 09:00:39 GMT 2008

I've been working to get Vista to join Samba4 as a domain member, and in
some instances, it fails due to invalid smb signing.

The problem was that we used the wrong call into Heimdal to get the
session key.  I'm sure I was told it was the wrong thing many moons ago,
but we were calling gsskrb5_get_initiator_subkey().

This worked well, and matched previous Microsoft clients and servers,
and Samba itself.

However, while changing this call to gsskrb5_get_subkey() works for the
server (both for smb signing, and for SAMR password sets - on SAMR we
must truncate to 16 bytes), it gives a different key in the Samba4

What is the matching call we should issue on the Samba client, to get at
the same key?  (I'm presuming the problem is the acceptor subkey).


Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list