[SAMBA4] In Memory ccache doesn't work
Dave Daugherty
dave.daugherty at centrify.com
Mon Dec 11 20:18:55 GMT 2006
For MIT Kerberos if you do not send pre-auth data up front, a Windows server will send you the pre-auth required error AND send the proper DES salt if DES authentication is what is required. The libraries transparently handle this specific case. The downside is that not sending preauth data up front may result in a security event log to be recorded, potentially setting off someone's pager.
But unless you are prepared to provide the correct case sensitive salt, you are better off not sending the pre-auth data.
Dave Daugherty
Centrify Corp
Love Hörnquist Åstrand Sent: Sunday, December 10, 2006 1:44 PM
> To: Stefan (metze) Metzmacher
>> I just noticed that we always do the following before a
>> krb5 authentification.
>>
>> AS-REQ without pre-auth krbtgt/REALM
>> AS-REP error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
>> AS-REQ with pre-auth krbtgt/REALM
>> AS-REQ fine
>The problem with sending a pre-auth is that is you guess wrong you
>sometimes do not get back preauth-req but instead another error, and
>that doesn't cause a retry.
>> TGS-REQ for target principal
>> TGS-REP fine
>> TGS-REQ KDCOptions: 60000000 (Forwardable, Forwarded) for krbtgt/REALM
>> TGS-REP error_code: KRB5KDC_ERR_BADOPTION (13)
>I think the code tries to delegate, maybe it should check if the
>ticket is forwardable
>before trying. (or not try to delegate in the first place).
>Love
More information about the samba-technical
mailing list