MIT Krb5 KDC in the AD DC

Andrew Bartlett abartlet at
Thu Aug 7 15:55:57 MDT 2014

On Thu, 2014-08-07 at 17:50 +0200, Andreas Schneider wrote:
> On Friday 01 August 2014 15:35:24 Andrew Bartlett wrote:
> > Can we try and avoid adding back all this glue by taking an alternative
> > approach on the kpasswd server?  It is the only user of the gensec_krb5
> > code, which is essentially still the old, horrid, kerberos acceptor from
> > the 3.0 days.
> Yep!
> Günther and I worked on starting kadmind the whole week. We can change 
> passwords with kpasswd now!

Great!  The only concern that came to my mind is a rename risk:  Do you
have some way to determine that if you get a ticket to change the
password on one user, and before the password is changed the user is
renamed, that user is renamed, and a new user created in it's place, you
change the password on the 'right' user?

(The SID in the PAC would be unchanged, but the principal would have

> In the MIT KRB5 build we don't build gensec_krb5 and we removed the patches we 
> resurrected for this. We will take a look later if we could remove gensec_krb5 
> completely.

The trouble is we don't run the Heimdal kadmind, so I think we are stuck
with some of gensec_krb5 for the Heimdal case.

> So here is a updated branch for review:

I'll take another look over it.  I was quite pleased with it when I last
looked over that part of the changes.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list