[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal 0.8.1 w2k interop
On Jun 13, 2007, at 7:57 PM, Love Hörnquist Åstrand wrote:
>> We've found ourselves in catch 22 situation. There was one thing
>> preventing us from upgrading our KDCs from heimdal-0.6.x and that was
>> Windows 2000 clients. But now we've got another kind of clients on
>> network, namely Thursby's ADmitMac, which unconditionally want to
>> perform pre-authentication with encryption type not supported by
>> 0.6.x :-( Attached patch makes it possible for 0.8.1 KDC to
>> inter-operate with Windows 2000, yet authenticate newer clients.
>> There
>> are apparently two things Windows 2000 are allergic to: encryption
>> types "newer" than ETYPE_DES3_CBC_SHA1 in PA_ENCTYPE_INFO, and
>> [paradoxically enough] own ETYPE_ARCFOUR_HMAC_MD5 tickets. And that's
>> basically what we try to address. The patch was tested with Windows
>> 2000, XP, Vista, MIT krb5 1.3.x, whatever found in Solaris 8, not to
>> mention ADmitMac.
>
> So basicly sending anything other then
>
> ETYPE_DES_CBC_CRC
> ETYPE_DES_CBC_MD4
> ETYPE_DES_CBC_MD5
> ETYPE_DES3_CBC_SHA1
> ETYPE_ARCFOUR_HMAC_MD5
> ETYPE_ARCFOUR_HMAC_MD5_56
>
> In etype-info pa is a bad idea ?
>
> I sure ETYPE_ARCFOUR_HMAC_MD5 works with XP just fine.
>
> What part of ADmitMac will take a password ?
>
> Love
I'm likewise sure that ETYPE_ARCFOUR_HMAC_MD5 is a native enctype for
W2K, so it *shouldn't* be a problem. Doesn't mean it isn't a
actually problem, but it shouldn't.