samba code and kerberos enctypes

Gerald Carter jerry at
Mon Feb 1 13:56:28 MST 2010

simo wrote:
> On Mon, 2010-02-01 at 14:28 -0600, Gerald Carter wrote:
>> It's necessary when you don't own the krb5 layer and want
>> to be portable across multiple versions.
> The samba team or third party vendors *may* have this problem.
> But distributions don't as they control exactly what 
> version of the kerberos libraries is distributed in the OS.

True.  I was not thinking in terms of a distro.  But by
owning I meant more in terms of controlling the settings
and options for.  Does the RedHat Samba based domain join
setup all the krb5.conf settings now?  Great if so.  Hmm...But
you still have the issue of affinity to trusted domains
which is a non-static list (over time).

>> The proper solution is to make the krb5 layer site 
>> and affinity aware (e.g. the kdc locator plugin).
> What else do you think is needed beyond the locator plugin ?

To replace the generated krb5.conf feature probably nothing.
Since Guenther has already written such a plugin, he would know
more than me.

I do think however that there is a lot of raw krb5 code that would
be simpler if moved over to use then GSS-API.  But I would need
to think about mapping raw NTLMSSP onto GSS-API.  I'm pretty sure
it would work given that GSS-NTLMSSP works fine.  It would just
be necessary probably to some input token contruction rather than
passing it straight through from the client.

>> I think the generated krb5.conf is just as valid if not as
>> dynamic a solution.
> The problem I see with the generated krb5.conf is that it does not
> always include stuff you want it to include. But as I said I'd be more
> than happy if it could be switched off optionally and leave it on by
> default.

cheers, jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list