PGP SIGNED MESSAGE
Hash: SHA1
Jeremy,
Unless I am badly mistaken, this is cannot work. I've even
stepped though with gdb and we never actually succeed in derving
the salting principal for DES keys. Here's why:
() sends a TGS
for the proposed service principal and then tries to decrypt
it with the passed in encytype. The problem
is that the service ticket will always be sealed with the
the strongest key associated with the principal which in
an AD domain is always RC4-HMAC. But we always skip this
enctype in ().
I just don't see any point to this code at all.
ciao, jerry
Samba http://www.samba.org
Centeris http://www.centeris.com
"What man is a man who does not make the world better?"
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
x1RVLPI3NQBjqlVvhqNVNHY=
=KzcE
PGP SIGNATURE

Wed, Jul 05, 2006 at 05:14:03PM -0500, Gerald (Jerry) Carter wrote:
PGP SIGNED MESSAGE
Hash: SHA1

Jeremy,

Unless I am badly mistaken, this is cannot work. I've even
stepped though with gdb and we never actually succeed in derving
the salting principal for DES keys. Here's why:

() sends a TGS
for the proposed service principal and then tries to decrypt
it with the passed in encytype. The problem
is that the service ticket will always be sealed with the
the strongest key associated with the principal which in
an AD domain is always RC4-HMAC. But we always skip this
enctype in ().

I just don't see any point to this code at all.

What if this were an smbclient kerborized connection
using an MIT kdc ? I do recall the person who sent
in this code originally was using an MIT kdc (although
I could have been mistaken, it was a while ago).

Jeremy.

PGP SIGNED MESSAGE
Hash: SHA1

Jeremy Allison wrote:

What if this were an smbclient kerborized connection
using an MIT kdc ? I do recall the person who sent
in this code originally was using an MIT kdc (although
I could have been mistaken, it was a while ago).

You miss the point though. This is done when running
'net ads join'. That code has nothing to do with non-MS
realms. I'm not saying that DES keys are not useful, I'm
saying the derive salting principal code is broken on
systems with RC4-HMAC support.

cheers, jerry

Samba http://www.samba.org
Centeris http://www.centeris.com
"What man is a man who does not make the world better?"
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

CY/SSKKNPNTMChLaQaP3peg=
=4bPL
PGP SIGNATURE

PGP SIGNED MESSAGE
Hash: SHA1

Gerald (Jerry) Carter wrote:
Jeremy,

Unless I am badly mistaken, this is cannot work. I've even
stepped though with gdb and we never actually succeed in derving
the salting principal for DES keys. Here's why:

() sends a TGS
for the proposed service principal and then tries to decrypt
it with the passed in encytype. The problem
is that the service ticket will always be sealed with the
the strongest key associated with the principal which in
an AD domain is always RC4-HMAC. But we always skip this
enctype in ().

I just don't see any point to this code at all.

I take it back. If the machine account has the DESNLY
flag set, then this code would make sense. But running
it in the presence of RC4-HMAC support does not.

cheers, jerry

Samba http://www.samba.org
Centeris http://www.centeris.com
"What man is a man who does not make the world better?"
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

WmR7SyaPavXB3XUVHcs=
=rK+
PGP SIGNATURE

Wed, Jul 05, 2006 at 05:42:05PM -0500, Gerald (Jerry) Carter wrote:

You miss the point though. This is done when running
'net ads join'. That code has nothing to do with non-MS
realms. I'm not saying that DES keys are not useful, I'm
saying the derive salting principal code is broken on
systems with RC4-HMAC support.

Ah ok - can we easily avoid it doing net ads join then ?

Jeremy.