Some patches for import-lorikeet-heimdal branch

Isaac Boukris iboukris at
Mon Nov 12 13:45:13 UTC 2018

On Mon, Nov 12, 2018 at 3:52 AM Andrew Bartlett <abartlet at> wrote:
> On Sun, 2018-11-11 at 01:28 +0200, Isaac Boukris via samba-technical
> wrote:
> > On Fri, Nov 9, 2018 at 12:56 AM Isaac Boukris <iboukris at> wrote:
> > >
> > The last commit was not easy (as initially I couldn't reproduce
> > outside the test environment). I wonder what can we actually do about
> > it. In the short term we can try to move some assertions to the
> > callbacks.
> I agree, putting the assertions in the callbacks sounds like a plan.

Actually it won't work for the canonicalization flag since we need the
cchache to be initialized with the funny enterprise name.

> We should also see if we really do need to modify the packet as much as
> we do.

For the canoonicalization flag, I think we should just treat it as a
bug and fix it so it won't be implied in the enterprise case. If
upstream insist on keeping the current behavior we can suggest to move
the implied canon flag to kinit code where it won't impact on library
users, otherwise we'd need an alternative test. Note that MIT client
code does not imply canon when enterprise though the KDC does, we'd
need to address that too.

> We should probably also work on a strategy to get this all merged.
> When I was last working on it, I was trying to get FAST going, but the
> FAST code in heimdal's client wasn't complete.  There is better code in
> Apple's code dump, but do we just copy out one file or should we try
> and look into their advances more generally?
> It would be great if someone would build a git tree (ideally with a
> script to allow verification) from the stuff thrown over the wall.
> There are a few repositories out there but they are out of date...

One would hope those changes get submitted upstream heimdal.

> Finally, for the changes around the etype_info2, a manual check needs
> to be done to confirm that password lockout isn't being double-
> triggered from Windows.  I realise we would now match windows exactly,
> but a manual check is still needed.

I just tested it manually by reverting the commit and trying to logon
to win7 member server and it triggers two PREAUTH_FAILED on the wire,
while with the commit applied only one.

More information about the samba-technical mailing list