Issue with PAC and des-cbc-crc
Andrew Bartlett
abartlet at samba.org
Fri Apr 27 12:55:07 GMT 2007
Love,
I've been chasing down the issue raised on samba-technical, where kinit
from Heimdal 0.6.3 does not pass against Samba4.
The issue is that in getting a TGT, we create and sign a PAC. But the
test in pac.c:
pac_checksum():819
if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
krb5_set_error_string(context, "PAC checksum type is not keyed");
return EINVAL;
}
Fails, because crc isn't a keyed checksum.
Does windows just blindly create a PAC for these keytypes, or not send a
PAC, or should we just fail more gracefully?
For some reason, the error string doens't make it to the client or the
logs, just 'invalid argument'.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070427/8440de01/attachment.bin
More information about the samba-technical
mailing list