[Samba] Kerberos Keytab Code Update in 3.0.23

Gerald (Jerry) Carter jerry at samba.org
Fri Jul 21 22:42:20 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug,

Thanks for testing this.

> 2003 Enterprise server
> security = ADS
> idmap backend = ad
> winbind nss info = template sfu
> 
> I joined an FC3 using rc4 all is smooth and browsable.
> 
> I then removed support for rc4 in enctypes in /etc/krb5.conf.
> Edited the machine acct and added the flag for des_only.
> The domain controller can't browse the samba server.  Get
> the password dialog box.
> 
> This method used to work.  I'll get an older version of
> samba and verify that with the current 2003 including
> current SP and security patches.

Did you enable the DES trick in the Windows 2003
registry ?  Otherwise Windows 2003 will always use
RC4-HMAC regardless of the DES_ONLY flag.  That's what
I've found at least.

> I then commented out the defines in /usr/include/krb5.h
> for ENCTYPE_ARCFOUR.  Then configure & make to have a version
> of samba where the ifdefs would trigger for des-only code.
> This version won't join the domain.

Yes.  There is a problem with DES session keys in CIFS
sessions.  That's a know issue on RHEL3 at least.  I'm
still trying to track it down.

> I can try net keytab add on permutations, but don't 
> have the time until this weekend.

Thanks.  I'll be around this weekend as well :-)

> Des only may be a dinosaur for most modern kerberos, but
> it might be important to eliminate dependency on rc4.
> I've been told longhorn will include encryption types
> that use salts and depending on the admin environment
> they may want to run non-rc4.  There may also be legacy
> consideration where the kerberos server is unix based.

DES session keys are an issue for RHEL3 so I will get
that fixed but it will require more investigation.





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwVhMIR7qMdg1EfYRAgo4AJsG7086qBdyp/XeYkEWplmPlwlimwCfevXq
G/zpXCCOt56SrM21zJT6EaU=
=M8AK
-----END PGP SIGNATURE-----

More information about the samba mailing list