svn commit: samba r11928 - in
branches/SAMBA_4_0/source/auth/kerberos: .
Love
lha at samba.org
Sun Nov 27 12:52:37 GMT 2005
abartlet at samba.org writes:
> + - When sending the enc-type negotiation, we call get_pa_etype_info if
> + there are only 'old' enc types present, but always call
> + get_pa_etype_info2. It would seem more logical to have an
> + either/or, or only send both to clients that show signs of knowing
> + about the old enc types.
> + - Perhaps this is to cope with clients that expect the older info in
> + the first position? (Comments needed)
This behavior in mandated by RFC4120
When the AS server is to include pre-authentication data in a
KRB-ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-
INFO, if the etype field of the client's AS-REQ lists at least one
"newer" encryption type. Otherwise (when the etype field of the
client's AS-REQ does not list any "newer" encryption types), it MUST
send both PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for
each enctype). A "newer" enctype is any enctype first officially
specified concurrently with or subsequent to the issue of this RFC.
The enctypes DES, 3DES, or RC4 and any defined in [RFC1510] are not
"newer" enctypes.
Love
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051127/fd54743b/attachment.bin
More information about the samba-technical
mailing list