[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.1 w2k interop

To: heimdal-discuss@sics.se, Andy Polyakov <appro@fy.chalmers.se>
Subject: Re: heimdal 1.0.1 w2k interop
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 16 Oct 2007 09:47:27 -0700
In-Reply-To: <4714E63B.2060001@fy.chalmers.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <4714E5AF.2060805@fy.chalmers.se> <4714E63B.2060001@fy.chalmers.se>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

There is some new option in the latest version of the W2K3 tools that  
allows you to specifically enable rc4 with non-windows Kerberos.  I  
presume you are making use of that, and the problem persists?

On Oct 16, 2007, at 9:26 AM, Andy Polyakov wrote:

> Ooops! This time with attachement:-) A.
>
>> - w2k can parse only PA_ENCTYPE_INFO structure, while heimdal  
>> fails to provide this structure, because it fails to identify w2k  
>> as "old" client;
>> First issue is still present in 1.0.1, because it fails to  
>> identify legacy Microsoft cryptotypes as "old" ones. Attached  
>> patch does the trick for us [by adding just mentioned cryptotypes  
>> to older_enctype()] and [so far] was tested with w2k, wxp, vista,  
>> mit krb5 and admitmac.
> --- ./kdc/kerberos5.c.orig	2007-08-09 09:47:22.000000000 +0200
> +++ ./kdc/kerberos5.c	2007-10-16 10:02:06.000000000 +0200
> @@ -362,6 +362,9 @@
>      case ETYPE_DES3_CBC_SHA1:
>      case ETYPE_ARCFOUR_HMAC_MD5:
>      case ETYPE_ARCFOUR_HMAC_MD5_56:
> +    case ETYPE_ARCFOUR_MD4:		/* windows specific */
> +    case ETYPE_ARCFOUR_HMAC_OLD:
> +    case ETYPE_ARCFOUR_HMAC_OLD_EXP:
>  	return 1;
>      default:
>  	return 0;
> --- ./lib/asn1/k5.asn1.orig	2007-08-09 09:47:10.000000000 +0200
> +++ ./lib/asn1/k5.asn1	2007-10-15 23:39:29.000000000 +0200
> @@ -137,6 +137,10 @@
>  	ETYPE_ARCFOUR_HMAC_MD5(23),
>  	ETYPE_ARCFOUR_HMAC_MD5_56(24),
>  	ETYPE_ENCTYPE_PK_CROSS(48),
> +-- some "old" windows types
> +	ETYPE_ARCFOUR_MD4(-128),
> +	ETYPE_ARCFOUR_HMAC_OLD(-133),
> +	ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
>  -- these are for Heimdal internal use
>  	ETYPE_DES_CBC_NONE(-0x1000),
>  	ETYPE_DES3_CBC_NONE(-0x1001),

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: heimdal 1.0.1 w2k interop
  - From: Andy Polyakov <appro@fy.chalmers.se>

References:
- heimdal 1.0.1 w2k interop
  - From: Andy Polyakov <appro@fy.chalmers.se>
- Re: heimdal 1.0.1 w2k interop
  - From: Andy Polyakov <appro@fy.chalmers.se>

Prev by Date: Re: heimdal 1.0.1 w2k interop
Next by Date: lists of healthcare providers
Prev by thread: Re: heimdal 1.0.1 w2k interop
Next by thread: Re: heimdal 1.0.1 w2k interop
Index(es):
- Date
- Thread