Internal MIT Kerberos functions used by Samba

Andreas Schneider asn at
Mon Mar 20 05:45:14 EDT 2017


as you might know I'm working on migrating Samba AD to use MIT Kerberos 
instead of Heimdal Kerberos since several years now.

The MIT Kerberos library has several symbols which are public but do not offer 
a prototype in a header file. Samba uses several of those functions to either 
implement important parts or to be able to write tests. This document collects 
them and will describe its use cases.

We would like to see a public header file to use those functions. We do not 
need stable API guarantees.

A warning before the changes happen to those functions would be great!


Samba implements its own kpasswd server to be able to apply ACLs on the 
principal requesting to change a password. To achieve to do a set_password it 
needs do decode a set_password request packet.

See source4/kdc/kpasswd-service-mit.c

It would be great to have a stable API for this function.

The following functions are used by source4/torture/krb5/kdc-mit.c. This is a 
set of tests that make sure that the KDC responds correctly to certain errors.


If we send incorrect packets, we expect that certain error codes are returned. 
We use that functions to decode error packets and make sure the correct error 
code is returned by the KDC.


This is needed to verfiy that certain aspects which are expected by AD are 
sent in the request.


This is used to verify that the KVNO is for a RODC or a normal DC. Or we use 
it to check if we request certain enctypes they are also part of the ticket 


We have a test which authenticates with a wrong password. In this case we get 
an error packet and check the error e-data has KRB5_PADATA_ENC_TIMESTAMP set.


Used to free memory allocated by the decode functions


Used to free memory allocated by the decode functions


Used to free memory allocated by the decode functions

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at

More information about the krbdev mailing list