[Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter
jerry at samba.org
Fri Jul 21 22:42:20 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Thanks for testing this.
> 2003 Enterprise server
> security = ADS
> idmap backend = ad
> winbind nss info = template sfu
> I joined an FC3 using rc4 all is smooth and browsable.
> I then removed support for rc4 in enctypes in /etc/krb5.conf.
> Edited the machine acct and added the flag for des_only.
> The domain controller can't browse the samba server. Get
> the password dialog box.
> This method used to work. I'll get an older version of
> samba and verify that with the current 2003 including
> current SP and security patches.
Did you enable the DES trick in the Windows 2003
registry ? Otherwise Windows 2003 will always use
RC4-HMAC regardless of the DES_ONLY flag. That's what
I've found at least.
> I then commented out the defines in /usr/include/krb5.h
> for ENCTYPE_ARCFOUR. Then configure & make to have a version
> of samba where the ifdefs would trigger for des-only code.
> This version won't join the domain.
Yes. There is a problem with DES session keys in CIFS
sessions. That's a know issue on RHEL3 at least. I'm
still trying to track it down.
> I can try net keytab add on permutations, but don't
> have the time until this weekend.
Thanks. I'll be around this weekend as well :-)
> Des only may be a dinosaur for most modern kerberos, but
> it might be important to eliminate dependency on rc4.
> I've been told longhorn will include encryption types
> that use salts and depending on the admin environment
> they may want to run non-rc4. There may also be legacy
> consideration where the kerberos server is unix based.
DES session keys are an issue for RHEL3 so I will get
that fixed but it will require more investigation.
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba