the recent additions for heimdal-compatibility to the kerberos-code in
samba3 have one problem:
they do not work with a win2k3-domain controller.
basically we added a keytab for heimdal just for one reason: the rd_req
function is working differently in heimdal than in MIT kerberos. in
heimdals rd_req a keytab-entry is obligatory. the recent keytab-additions
in kerberos_verify.c create a in memory-keytab on the fly (with a a
hard-coded kvno of "1") so that heimdals rd_req can succeed. while this
is fine for a win2kdc (kvnos are always 1), this does not work with a
win2k3dc (increasing kvnos). kvnos would have to be queried from ads via
ldap in advance.
thanks to luke howard (who proposed the following fix), the easiest way to
solve that would be to disable at least the keytab-create-function and to
use a keytab-less rd_req for heimdal-builds (the new rd_req for heimdal
looks much the same as the original heimdal-version. just the
get_key_from_keytab-part is missing.)
this way we gain the chance that users can use tickets obtained from a
win2k3dc (and a very recent heimdal-snapshot with a working
arcfour-implementation because des-keys do *not* work here).
i tested the patch with
heimdal-0.4e, des-key, win2kdc
heimdal-0.6+rc4fix, arcfour-key, win2k3dc
this problem has to be solved before 3.0.0 ships, i think.
Guenther Deschner email@example.com
SuSE Linux AG GnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
Created attachment 161 [details]
Ok, created this so we could track it. This will not get fixed before
official 3.0 ship, but is targetted for 3.0.1 - we need to revisit the
keytab code for then.
Jeremy, is this still an issue?
This was fixed with the kvno code. Can't remember exactly what release.
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.