MIT krb5 for Samba4 (was: Re: Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?))

Andrew Bartlett abartlet at
Fri Dec 18 20:18:53 UTC 2015

On Thu, 2015-12-17 at 06:45 +0100, Andreas Schneider wrote:
> On Thursday 17 December 2015 14:44:06 Andrew Bartlett wrote:

> > , and how we keep the test coverage from my insane
> > 'decode/inspect/reencode the packet' tests, but as I said at
> > SambaXP,
> > the question is how, not if, we do this.
> Looking at the tests I don't see why we should test return codes of
> the KDC. I 
> would say that's the responsibility of MIT Kerberos to make sure it
> behaves 
> correctly.
> So tests for this should be upstream ...

I know it is inconvenient, but please don't dismiss this test until you
have passed it.  It passes against Windows, and covers an incredible
amount of previously untested code, and exposes some quite odd
behaviour in the Windows KDC, particularly around enterprise principal

To be clear, it tests far more than the presumably well-known KDC
internals: adding that test required no changes in Hemidal, but a
massive set of changes in our HDB layer.

Finally, even if this test 'belongs' somewhere else, we can't be an AD
DC without *comparative* tests, we can't just rely on correctness tests
in another project.  That is because what matters is the end-to-end
behaviour that we can prove against AD, not just a promise that another
project adherers to their (possibly different) internal or RFC


Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list