[Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter
jerry at samba.org
Thu Jul 20 18:32:51 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Doug VanLeuven wrote:
> Gerald (Jerry) Carter wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>> File a bug report if you believe this to be true. I'm not at 3.0.23
>>> right now and don't have the time to try it
>>> here. I wouldn't want to lose this. I did see a mention
>>> they dropped support of joins from machines where
>>> the domain differs from the realm, but haven't had time to check
>>> this. There has been a rewrite of the
>>> ads join code since 3.0.22.
>> You should probably review my comments to Scott. Keytab
>> support is being rewritten, not dropped.
> I was saying dns domain not equal realm dropped
> and rewrite ads join code
No it wasn't. I run with this on a daily basis.
Perhaps something else is attributing to your failures.
>> PS: I asked out Apache guy (at Centeris) who is working
>> with mod_auth_kerb and he claims that krb5 authentication
>> to http://SerVer.ExaMple.COM still gets a ticket for
>> HTTP/server.example.com which supports my theory about
>> tickets based on SPN values.
> Yes, it works with rc4-hmac. But it's been coming
> back to me. It didn't work with des-cbc-md5 until
> the permutations were added. How soon we forget.
> It's really difficult to test des-only now. Have to
> join with rc4, then hand edit with adsi.exe in the
> AD, then remove the rc4 from krb5.conf
> and reboot the machine to purge the caches, because
> samba set's the des-only on a compile time flag.
I'll go back and retest but I'm still not convinced
(until I can reproduce it myself).
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba