Bug 492 - Samba 3.0 doesn't handle kvno's in Heimdal or MIT - W2K3 uses them.
Samba 3.0 doesn't handle kvno's in Heimdal or MIT - W2K3 uses them.
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.0preX
All All
: P3 normal
: none
Assigned To: Jeremy Allison
:
Depends on:
Blocks: 807
  Show dependency treegraph
 
Reported: 2003-09-22 14:07 UTC by Jeremy Allison
Modified: 2005-08-24 10:22 UTC (History)
2 users (show)

See Also:


Attachments
Proposed patch. (3.89 KB, patch)
2003-09-22 14:09 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2003-09-22 14:07:58 UTC
Hello *,

the recent additions for heimdal-compatibility to the kerberos-code in
samba3 have one problem:

        they do not work with a win2k3-domain controller.

basically we added a keytab for heimdal just for one reason: the rd_req
function is working differently in heimdal than in MIT kerberos. in
heimdals rd_req a keytab-entry is obligatory. the recent keytab-additions
in kerberos_verify.c create a in memory-keytab on the fly (with a a
hard-coded kvno of "1") so that heimdals rd_req can succeed.  while this
is fine for a win2kdc (kvnos are always 1), this does not work with a
win2k3dc (increasing kvnos). kvnos would have to be queried from ads via
ldap in advance.

thanks to luke howard (who proposed the following fix), the easiest way to
solve that would be to disable at least the keytab-create-function and to
use a keytab-less rd_req for heimdal-builds (the new rd_req for heimdal
looks much the same as the original heimdal-version. just the
get_key_from_keytab-part is missing.)

this way we gain the chance that users can use tickets obtained from a
win2k3dc (and a very recent heimdal-snapshot with a working
arcfour-implementation because des-keys do *not* work here).

i tested the patch with

heimdal-0.4e,           des-key,        win2kdc
heimdal-0.6+rc4fix,     arcfour-key,    win2k3dc

this problem has to be solved before 3.0.0 ships, i think.

thanks,

guenther

Guenther Deschner                                         gd@suse.de
SuSE Linux AG                                        GnuPG: 8EE11688
Berliner Str. 27                      phone:  +49 (0) 30 / 430944778
Comment 1 Jeremy Allison 2003-09-22 14:09:39 UTC
Created attachment 161 [details]
Proposed patch.
Comment 2 Jeremy Allison 2003-09-22 14:10:37 UTC
Ok, created this so we could track it. This will not get fixed before
official 3.0 ship, but is targetted for 3.0.1 - we need to revisit the
keytab code for then.
Jeremy.
Comment 3 Gerald (Jerry) Carter 2004-11-11 13:41:50 UTC
Jeremy, is this still an issue?
Comment 4 Jeremy Allison 2004-11-11 14:02:10 UTC
This was fixed with the kvno code. Can't remember exactly what release.
Jeremy.
Comment 5 Gerald (Jerry) Carter 2005-02-07 09:06:25 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 6 Gerald (Jerry) Carter 2005-08-24 10:22:06 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.