Windows clients seem to have some reasonable limitations to what they consider a valid salt:
So we should change our randomization code to restrict byte values to be between the values 1 and 127 for maximum compatibility. Perhaps even restricting to printable ASCII chars only might be a good idea.
Another minor but good reason is that MIT kerberos debugging also treats the salt as a string so having just printable chars is a plus to get non-mangled output.
master: f7938a1
Calculations were not correct, they fail for negative values and krb5_data is not defined as unsigned.
Thank to Nalin for finding out.
Amended master tree with commit: 0813783 Pushed a corrected patch to ipa-2-1 too: afece97
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0 Core Effort - 2011/11
Login to comment on this ticket.