Re: Heimdal 0.3d

[Assar Westerlund <assar@sics.se>]

"Jacques A. Vidrine" <n@nectar.com> writes:
> On Mon, Dec 11, 2000 at 04:41:11AM +0100, Assar Westerlund wrote:
> >  * fix a bug in 3des gss-api mechanism, making it compatible with the
> >    specification and the MIT implementation
> > 
> >  * lib/krb5, kdc: use correct usage type for ap-req messages.  This
> >    should improve compatability with MIT krb5 when using 3DES
> >    encryption types
> 
> Do one (or both) of these changes break compatability with previous
> versions of Heimdal?

Sorry for not being clearer on this.  The first might have broken
compatability with 3des gss-api in previous versions, but since that
functionality was just introduced, I'm not sure this is a serious problem.

The second one should not break any compatability since there is code
for being backwards compatible included.

> I updgraded a client system from 0.3c to 0.3d.  The KDC is running
> 0.3d.  Now GSSAPI fails when using the 0.3d clients and des3-cbc-sha1.
> For example,
> 
>    % kinit -e des3-cbc-sha1
>    user@COMPANY.COM's Password:
>    % telnet somehost
>    Encryption is verbose
>    Trying 10.0.0.1...
>    Connected to somehost.
>    Escape character is '^]'.
>    [ Trying mutual KERBEROS5 (host/somehost.company.com@COMPANY.COM)... ]
>    Kerberos V5: mk_req failed (Decrypt integrity check failed)
>    [ Trying KERBEROS5 (host/somehost.company.com@COMPANY.COM)... ]
>    Kerberos V5: mk_req failed (Decrypt integrity check failed)
>    telnetd: Authorization failed.
>    Connection closed by foreign host.

I don't think this is related, telnet doesn't use gss.  Could you send
us the result of running `klist -v' after the failed telnet attempt?

/assar