MIT Krb5 KDC in the AD DC

Andrew Bartlett abartlet at
Thu Aug 7 21:08:29 MDT 2014

On Thu, 2014-08-07 at 17:50 +0200, Andreas Schneider wrote:
> On Friday 01 August 2014 15:35:24 Andrew Bartlett wrote:
> > Can we try and avoid adding back all this glue by taking an alternative
> > approach on the kpasswd server?  It is the only user of the gensec_krb5
> > code, which is essentially still the old, horrid, kerberos acceptor from
> > the 3.0 days.
> Yep!
> Günther and I worked on starting kadmind the whole week. We can change 
> passwords with kpasswd now!
> In the MIT KRB5 build we don't build gensec_krb5 and we removed the patches we 
> resurrected for this. We will take a look later if we could remove gensec_krb5 
> completely.
> So here is a updated branch for review:

I've reviewed and pushed all these, except:

lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.

You mean, I think, 
s4-kdc: Use KRB5KDC_ERR_KEY_EXP error code available in both MIT and

Also skipped were:

Remove custom password change code in libads (we need the tests I
mentioned earlier)
krb5_wrap: Use com_err in krb5_warnx. (It's fine, and reviewed, but just
was missing the signed off tag).

Also skipped for the same missing signed-off-by are the gensec_krb5
wscript change and:

pick e3e4834 lib/krb5_wrap: make sure smb_krb5_principal_get_realm
returns a malloced string.
pick d9716f1 s3-libads/krb5_setpw: free realm from
pick 32237c8 s4-dsdb/cracknames: free realm from

Aside from the tests, all this is pretty cosmetic, please tidy it up,
add my review tag and push. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list