[Samba] Kerberos Keytab Code Update in 3.0.23

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 20 18:32:51 GMT 2006

Hash: SHA1

Doug VanLeuven wrote:
> Gerald (Jerry) Carter wrote:
>> Hash: SHA1
>> Doug,
>>> File a bug report if you believe this to be true.  I'm not at 3.0.23
>>> right now and don't have the time to try it
>>> here.  I wouldn't want to lose this. I did see a mention
>>> they dropped support of joins from machines where
>>> the domain differs from the realm, but haven't had time to check
>>> this. There has been a rewrite of the
>>> ads join code since 3.0.22.
>> Doug,
>> You should probably review my comments to Scott. Keytab
>> support is being rewritten, not dropped.
> I was saying dns domain not equal realm dropped
> and rewrite ads join code

No it wasn't.  I run with this on a daily basis.
Perhaps something else is attributing to your failures.

>> PS: I asked out Apache guy (at Centeris) who is working
>> with mod_auth_kerb and he claims that krb5 authentication
>> to http://SerVer.ExaMple.COM still gets a ticket for
>> HTTP/server.example.com which supports my theory about
>> tickets based on SPN values.
> Yes, it works with rc4-hmac.  But it's been coming 
> back to me. It didn't work with des-cbc-md5 until
> the permutations were added.  How soon we forget.
> It's really difficult to test des-only now.  Have to
> join with rc4, then hand edit with adsi.exe in the
> AD, then remove the rc4 from krb5.conf
> and reboot the machine to purge the caches, because 
> samba set's the des-only on a compile time flag.

I'll go back and retest but I'm still not convinced
(until I can reproduce it myself).

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org


More information about the samba mailing list