[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with PAC and des-cbc-crc



Andrew,

> I've been chasing down the issue raised on samba-technical, where  
> kinit
> from Heimdal 0.6.3 does not pass against Samba4.
>
> The issue is that in getting a TGT, we create and sign a PAC.  But the
> test in pac.c:
>
> pac_checksum():819
>     if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
> 	krb5_set_error_string(context, "PAC checksum type is not keyed");
> 	return EINVAL;
>     }
>
> Fails, because crc isn't a keyed checksum.
>
> Does windows just blindly create a PAC for these keytypes, or not  
> send a
> PAC, or should we just fail more gracefully?
>
> For some reason, the error string doens't make it to the client or the
> logs, just 'invalid argument'.

I've not looked at what windows does with the pac if the checksum
isn't an keyed checksum, but having a unkeyed check on the pac
does seem like a bad idea.

Will try to fix the bad error to the client.

Love