[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue with PAC and des-cbc-crc

To: Love Hörnquist Åstrand <lha@it.su.se>
Subject: Issue with PAC and des-cbc-crc
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Apr 2007 14:55:07 +0200
Cc: Heimdal-discuss list <heimdal-discuss@sics.se>, samba-technical@samba.org
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Andrew Bartlett <abartlet@samba.org>

Love,

I've been chasing down the issue raised on samba-technical, where kinit
from Heimdal 0.6.3 does not pass against Samba4.

The issue is that in getting a TGT, we create and sign a PAC.  But the
test in pac.c:

pac_checksum():819
    if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
	krb5_set_error_string(context, "PAC checksum type is not keyed");
	return EINVAL;
    }

Fails, because crc isn't a keyed checksum.  

Does windows just blindly create a PAC for these keytypes, or not send a
PAC, or should we just fail more gracefully?

For some reason, the error string doens't make it to the client or the
logs, just 'invalid argument'.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part

Follow-Ups:
- Re: Issue with PAC and des-cbc-crc
  - From: Love Hörnquist Åstrand <lha@it.su.se>

Prev by Date: Re: Heimdal 0.8.1
Next by Date: Re: Issue with PAC and des-cbc-crc
Prev by thread: Heimdal at SambaXP
Next by thread: Re: Issue with PAC and des-cbc-crc
Index(es):
- Date
- Thread