s3 member server to s4 kerberos trouble
Andrew Bartlett
abartlet at samba.org
Tue Jun 29 01:34:48 MDT 2010
On Thu, 2010-06-24 at 10:25 +1000, Andrew Bartlett wrote:
> On Wed, 2010-06-23 at 17:13 +0100, Lukasz Zalewski wrote:
> > On 06/21/2010 08:12 AM, Matthieu Patou wrote:
> > >
> > >>>>
> > >>>>> Looking at the code
> > >>>>> I didn't saw much lookup to this attribute so I wonder how do we
> > >>>>> decide
> > >>>>> which encoding the requested principal support.
> > >>>>>
> > >>>> Correct, we need to use msDS-SupportedEncryptionTypes in kdc/db-glue.c
> > >>>> near where we look at UF_USE_DES_KEY_ONLY.
> > >>>>
> > >>>> The trickier part is that we need to have Samba4's domain join call the
> > >>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
> > >>>> encryption types (and the DNS name).
> > >>>>
> > >>>> Attached is my proposed solution
> > >>> I'll try to give a try ;-)
> > >>>
> > >> Did it help?
> > >>
> > > Didn't test it yet, sorry
> > >
> >
> > Hi Andrew, Matthieu
> > Andrew i'm assuming this patch is already in the master.
> > s3 seems to be working correctly as a member to s4
> >
> > I'm not sure if this is related but i have just noticed small oddity:
> > using latest master, on newly provsioned samba (without any members) it
> > seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
> > for kinit Administrator at MYDOM
>
> Well spotted!
>
> I'm trying another patch - the last one wasn't really tested very well.
Lukasz,
Can you try again with current master? I've done a lot to rework this
area, and it should not correctly honour this attribute.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100629/fac10b92/attachment.pgp>
More information about the samba-technical
mailing list