[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue with PAC and des-cbc-crc
Andrew,
> I've been chasing down the issue raised on samba-technical, where
> kinit
> from Heimdal 0.6.3 does not pass against Samba4.
>
> The issue is that in getting a TGT, we create and sign a PAC. But the
> test in pac.c:
>
> pac_checksum():819
> if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
> krb5_set_error_string(context, "PAC checksum type is not keyed");
> return EINVAL;
> }
>
> Fails, because crc isn't a keyed checksum.
>
> Does windows just blindly create a PAC for these keytypes, or not
> send a
> PAC, or should we just fail more gracefully?
>
> For some reason, the error string doens't make it to the client or the
> logs, just 'invalid argument'.
I've not looked at what windows does with the pac if the checksum
isn't an keyed checksum, but having a unkeyed check on the pac
does seem like a bad idea.
Will try to fix the bad error to the client.
Love