svn commit: samba r11928 - in branches/SAMBA_4_0/source/auth/kerberos: .

Love lha at
Sun Nov 27 12:52:37 GMT 2005

abartlet at writes:

> + - When sending the enc-type negotiation, we call get_pa_etype_info if
> +   there are only 'old' enc types present, but always call
> +   get_pa_etype_info2.  It would seem more logical to have an
> +   either/or, or only send both to clients that show signs of knowing
> +   about the old enc types.
> + - Perhaps this is to cope with clients that expect the older info in
> +   the first position?  (Comments needed)

This behavior in mandated by RFC4120

   When the AS server is to include pre-authentication data in a
   KRB-ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-
   INFO, if the etype field of the client's AS-REQ lists at least one
   "newer" encryption type.  Otherwise (when the etype field of the
   client's AS-REQ does not list any "newer" encryption types), it MUST
   send both PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for
   each enctype).  A "newer" enctype is any enctype first officially
   specified concurrently with or subsequent to the issue of this RFC.
   The enctypes DES, 3DES, or RC4 and any defined in [RFC1510] are not
   "newer" enctypes.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url :

More information about the samba-technical mailing list