[Samba] Kerberos Keytab Code Update in 3.0.23

Doug VanLeuven roamdad at sonic.net
Fri Jul 21 21:41:26 GMT 2006

Gerald (Jerry) Carter wrote:
> (a) deriving the DES salt
> (b) generating the keytab file
> (c) optionally creating the UPN as part of the join.
> Please give it a whirl and let me know how it goes.
> Our Krb5 code is over 3 years old spreading about
> multiple MIT and heimdal versions.  It's time for some
> spring cleaning but I don't want to loose functionality
> if we can help it.

2003 Enterprise server
security = ADS
idmap backend = ad
winbind nss info = template sfu

I joined an FC3 using rc4 all is smooth and browsable.

I then removed support for rc4 in enctypes in /etc/krb5.conf.
Edited the machine acct and added the flag for des_only.
The domain controller can't browse the samba server.  Get
the pasword dialog box.

This method used to work.  I'll get an older version of
samba and verify that with the current 2003 including
current SP and security patches.

I then commented out the defines in /usr/include/krb5.h
for ENCTYPE_ARCFOUR.  Then configure & make to have a version
of samba where the ifdefs would trigger for des-only code.
This version won't join the domain.

I can try net keytab add on permutations, but don't have the
time until this weekend.

Des only may be a dinosaur for most modern kerberos, but
it might be important to eliminate dependency on rc4.
I've been told longhorn will include encryption types
that use salts and depending on the admin environment
they may want to run non-rc4.  There may also be legacy
consideration where the kerberos server is unix based.

Regards, Doug

More information about the samba mailing list