Issue with PAC and des-cbc-crc

Andrew Bartlett abartlet at
Fri Apr 27 12:55:07 GMT 2007


I've been chasing down the issue raised on samba-technical, where kinit
from Heimdal 0.6.3 does not pass against Samba4.

The issue is that in getting a TGT, we create and sign a PAC.  But the
test in pac.c:

    if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
	krb5_set_error_string(context, "PAC checksum type is not keyed");
	return EINVAL;

Fails, because crc isn't a keyed checksum.  

Does windows just blindly create a PAC for these keytypes, or not send a
PAC, or should we just fail more gracefully?

For some reason, the error string doens't make it to the client or the
logs, just 'invalid argument'.

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list