Hello *, the recent additions for heimdal-compatibility to the kerberos-code in samba3 have one problem: they do not work with a win2k3-domain controller. basically we added a keytab for heimdal just for one reason: the rd_req function is working differently in heimdal than in MIT kerberos. in heimdals rd_req a keytab-entry is obligatory. the recent keytab-additions in kerberos_verify.c create a in memory-keytab on the fly (with a a hard-coded kvno of "1") so that heimdals rd_req can succeed. while this is fine for a win2kdc (kvnos are always 1), this does not work with a win2k3dc (increasing kvnos). kvnos would have to be queried from ads via ldap in advance. thanks to luke howard (who proposed the following fix), the easiest way to solve that would be to disable at least the keytab-create-function and to use a keytab-less rd_req for heimdal-builds (the new rd_req for heimdal looks much the same as the original heimdal-version. just the get_key_from_keytab-part is missing.) this way we gain the chance that users can use tickets obtained from a win2k3dc (and a very recent heimdal-snapshot with a working arcfour-implementation because des-keys do *not* work here). i tested the patch with heimdal-0.4e, des-key, win2kdc heimdal-0.6+rc4fix, arcfour-key, win2k3dc this problem has to be solved before 3.0.0 ships, i think. thanks, guenther Guenther Deschner gd@suse.de SuSE Linux AG GnuPG: 8EE11688 Berliner Str. 27 phone: +49 (0) 30 / 430944778
Created attachment 161 [details] Proposed patch.
Ok, created this so we could track it. This will not get fixed before official 3.0 ship, but is targetted for 3.0.1 - we need to revisit the keytab code for then. Jeremy.
Jeremy, is this still an issue?
This was fixed with the kvno code. Can't remember exactly what release. Jeremy.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.