[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with PAC and des-cbc-crc



On Fri, 2007-04-27 at 15:20 +0200, Love Hörnquist Åstrand wrote:
> Andrew,
> 
> > I've been chasing down the issue raised on samba-technical, where  
> > kinit
> > from Heimdal 0.6.3 does not pass against Samba4.
> >
> > The issue is that in getting a TGT, we create and sign a PAC.  But the
> > test in pac.c:
> >
> > pac_checksum():819
> >     if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
> > 	krb5_set_error_string(context, "PAC checksum type is not keyed");
> > 	return EINVAL;
> >     }
> >
> > Fails, because crc isn't a keyed checksum.
> >
> > Does windows just blindly create a PAC for these keytypes, or not  
> > send a
> > PAC, or should we just fail more gracefully?
> >
> > For some reason, the error string doens't make it to the client or the
> > logs, just 'invalid argument'.
> 
> I've not looked at what windows does with the pac if the checksum
> isn't an keyed checksum, but having a unkeyed check on the pac
> does seem like a bad idea.

I think windows may simply not issue the PAC, and that's certainly what
we should do.  (But some testing or confirmation here would be useful).
That way, we won't ever be asked to verify it (and if we are, we can
just bail then).

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part