Shawn M Emery wrote:
> Natalie Li wrote:
>> kclient.sh
>> ============
>>
>> - ((val=val+1+2))
>> - enctypes[${#enctyp...@]}]=des-cbc-crc
>> + ((val=val+2))
>> enctypes[${#enctyp...@]}]=des-cbc-md5
>>
>>
>> Why is des-cbc-crc enctypes not needed any more?
>
> It doesn't matter if it is one or the other or both, as they are
> considered similar enc types and have the same key.
I see.
>
>> ----------------------
>>
>> + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k
>> "$new_keytab" "${ar...@]}" HOST/${fq...@${realm} > /dev/null 2>&1
>> + if [[ $? -ne 0 ]]
>> + then
>> + printf "$(gettext "Failed to set account password").\n"
>> + error_message
>> + fi
>> +
>>
>> This is a workaround for the following CR:
>>
>> 6824434 P3 kerberosv5_b/applications Unable to accept context
>> establishment initiated by Windows 2000 clients
>>
>> If your team plans to fix the above CR by modifying mech_krb5 to
>> perform case-insensitive lookup in the near future, it'd be better
>> not to push this workaround along with the fixes for 6405422 & 6817447.
>
> There is conflicting information regarding service components; some
> implementors say that it should be case sensitive in theory, but have
> conceded that they treat this component case insensitive. I had to
> make a judgment call and preserve the case sensitivity as it might
> mean different things to other implementors or in the future. As a
> result, adding both a "host" and "HOST" entries avoids case
> insensitivity.
So, you might want to push your changes as a fix for the above CR (i.e.
6824434) as well.
>
>> -----------------------
>>
>> +servicePrincipalName: cifs/${fqdn}
>>
>> + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k
>> "$new_keytab" "${ar...@]}" cifs/${fq...@${realm} > /dev/null 2>&1
>> + if [[ $? -ne 0 ]]
>> + then
>> printf "$(gettext "Failed to set account password").\n"
>> error_message
>> fi
>>
>> I'd like the CIFS SPN to be introduced by both kclient and smbadm at
>> the same time ... probably at the time I putback the extended
>> security work for the CIFS project. What's your thought on this?
>
> I don't think that this is necessary as servers will harmlessly ignore
> this entry until your project is integrated.
>
I was thinking about the consistency between kclient and smbadm domain
join utility.
Yet, I agreed with what you said.
>> BTW, I've already fixed the key salt generation for smbadm CLI and
>> the fix will be put back as part of:
>> CR 6791210 P3 utility/cifs Kerberos user authentication
>
> One step ahead of me :)
Not quite since the above CR won't be committed to ON anytime soon.
Thanks,
Natalie
>
> Shawn.
> --
>> Shawn M Emery wrote:
>>>
>>> Was needing code reviews for the following CRs:
>>>
>>> 6405422 Solaris acceptors fail in AD-KDC environments when using
>>> non-"host" services...
>>> 6817447 libgss and various mechs are hiding both the real
>>> minor_status and the error token
>>>
>>> Webrev:
>>> http://cr.opensolaris.org/~semery/cifs
>>>
>>> Thanks,
>>>
>>> Shawn.
>>> --
>>> _______________________________________________
>>> kerberos-discuss mailing list
>>> kerberos-discuss at opensolaris.org
>>> http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
>>
>>
>
