On Tue, 2008-07-29 at 09:45 +0100, Love HÃrnquist Ãstrand wrote:
> 29 jul 2008 kl. 01.24 skrev Andrew Bartlett:
> > So, the question is: What is wrong with Heimdal in this situation?
> > How
> > do we come to negotiate different keys with the same code in both
> > directions?
> Can you describe what you think the failure is, I don't understand
> your setup.
Samba4 as a client to Samba4, in a Samba4 domain (ie, all the GSSAPI and
KDC code is lorikeet-heimdal).
When we use the same function - gsskrb5_get_initiator_subkey() in the
client and server, then we get the same key at each end (and the key
that has matched Microsoft, until we started using AES and CFX).
However, when we use gsskrb5_get_subkey(), we get different keys between
a Samba4 client and and server.
Note however, get_subkey() gives us the 'right' key on the server, for
Vista clients using CFX. Metze also found get_subkey() giving him
better results, but something seems wrong if it can't work Samba to
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com