MIT krb5 for Samba4 (was: Re: Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?))

Andreas Schneider asn at
Thu Dec 17 05:45:31 UTC 2015

On Thursday 17 December 2015 14:44:06 Andrew Bartlett wrote:
> Yes, I'm aware of that.  However I'm not aware of the same kind of
> attacks on arcfour-hmac-md5, because while MD5 is weak, HMAC-MD5 is
> still considered strong, and the arcfour use involves (like schannel) a
> confounder, that avoids the biggest weakness of RC4, because the first
> encrypted bytes are of random data.
> I continue to look forward to the MIT merge - we don't have a choice in
> any case:  Heimdal is essentially dead (read the recent inability to
> release thread on heimdal-discuss), and we need to un-hitch from that
> wagon now.  It makes me very sad, but I don't have the resources (eg
> become the Heimdal maintainer) to change those facts on the ground.  
> We still need to sort out some logistical matters (like how we would
> get patches, like the ones metze often does into our fork upstream into
> MIT)

You open a pull request on github and after some ping pong it gets merged. 
That's how I implemented support GSS_KRB5_CRED_NO_CI_FLAGS_X and got it 
upstream. I've started to implement krb5_get_init_creds_opt_set_pac_request().

> , and how we keep the test coverage from my insane
> 'decode/inspect/reencode the packet' tests, but as I said at SambaXP,
> the question is how, not if, we do this.

Looking at the tests I don't see why we should test return codes of the KDC. I 
would say that's the responsibility of MIT Kerberos to make sure it behaves 

So tests for this should be upstream ...

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at

More information about the samba-technical mailing list