diff options
| author | Gerald Carter <jerry@samba.org> | 2006-07-11 18:45:22 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:19:15 -0500 |
| commit | 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4 (patch) | |
| tree | e421125eb72e5d729805fa10e2fbf793bea7a350 /source/libads/util.c | |
| parent | 508ba05a8e4a7df8bf7f6ffe3d09a3c461026f78 (diff) | |
| download | samba-6261dd3c67d10db6cfa2e77a8d304d3dce4050a4.tar.gz samba-6261dd3c67d10db6cfa2e77a8d304d3dce4050a4.tar.xz samba-6261dd3c67d10db6cfa2e77a8d304d3dce4050a4.zip | |
r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
Diffstat (limited to 'source/libads/util.c')
| -rw-r--r-- | source/libads/util.c | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/source/libads/util.c b/source/libads/util.c index 8e3001ccb04..eb6dccb3afd 100644 --- a/source/libads/util.c +++ b/source/libads/util.c @@ -48,14 +48,6 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip goto failed; } - /* Determine if the KDC is salting keys for this principal in a - * non-obvious way. */ - if (!kerberos_derive_salting_principal(host_principal)) { - DEBUG(1,("Failed to determine correct salting principal for %s\n", host_principal)); - ret = ADS_ERROR_SYSTEM(EACCES); - goto failed; - } - failed: SAFE_FREE(password); return ret; |