s3 member server to s4 kerberos trouble

Andrew Bartlett abartlet at samba.org
Tue Jun 29 01:34:48 MDT 2010


On Thu, 2010-06-24 at 10:25 +1000, Andrew Bartlett wrote:
> On Wed, 2010-06-23 at 17:13 +0100, Lukasz Zalewski wrote:
> > On 06/21/2010 08:12 AM, Matthieu Patou wrote:
> > >
> > >>>>
> > >>>>> Looking at the code
> > >>>>> I didn't saw much lookup to this attribute so I wonder how do we
> > >>>>> decide
> > >>>>> which encoding the requested principal support.
> > >>>>>
> > >>>> Correct, we need to use msDS-SupportedEncryptionTypes in kdc/db-glue.c
> > >>>> near where we look at UF_USE_DES_KEY_ONLY.
> > >>>>
> > >>>> The trickier part is that we need to have Samba4's domain join call the
> > >>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
> > >>>> encryption types (and the DNS name).
> > >>>>
> > >>>> Attached is my proposed solution
> > >>> I'll try to give a try ;-)
> > >>>
> > >> Did it help?
> > >>
> > > Didn't test it yet, sorry
> > >
> > 
> > Hi Andrew, Matthieu
> > Andrew i'm assuming this patch is already in the master.
> > s3 seems to be working correctly as a member to s4
> > 
> > I'm not sure if this is related but i have just noticed small oddity:
> > using latest master, on newly provsioned samba (without any members) it 
> > seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
> > for kinit Administrator at MYDOM
> 
> Well spotted!
> 
> I'm trying another patch - the last one wasn't really tested very well. 

Lukasz,

Can you try again with current master?  I've done a lot to rework this
area, and it should not correctly honour this attribute. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100629/fac10b92/attachment.pgp>


More information about the samba-technical mailing list