[SCM] Samba Shared Repository - branch v4-0-test updated - release-4-0-0alpha5-187-g9678085

Andrew Bartlett abartlet at samba.org
Tue Jul 29 09:38:03 GMT 2008

On Tue, 2008-07-29 at 09:45 +0100, Love Hörnquist Åstrand wrote:
> 29 jul 2008 kl. 01.24 skrev Andrew Bartlett:
> > So, the question is:  What is wrong with Heimdal in this situation?   
> > How
> > do we come to negotiate different keys with the same code in both
> > directions?
> Can you describe what you think the failure is, I don't understand  
> your setup.

Samba4 as a client to Samba4, in a Samba4 domain (ie, all the GSSAPI and
KDC code is lorikeet-heimdal).  

When we use the same function - gsskrb5_get_initiator_subkey() in the
client and server, then we get the same key at each end (and the key
that has matched Microsoft, until we started using AES and CFX).
However, when we use gsskrb5_get_subkey(), we get different keys between
a Samba4 client and and server. 

Note however, get_subkey() gives us the 'right' key on the server, for
Vista clients using CFX.  Metze also found get_subkey() giving him
better results, but something seems wrong if it can't work Samba to

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080729/5f2e0f8a/attachment.bin

More information about the samba-technical mailing list