Issue with PAC and des-cbc-crc

Andrew Bartlett abartlet at samba.org
Mon May 7 08:59:59 GMT 2007


On Fri, 2007-04-27 at 15:20 +0200, Love Hörnquist Åstrand wrote:
> Andrew,
> 
> > I've been chasing down the issue raised on samba-technical, where  
> > kinit
> > from Heimdal 0.6.3 does not pass against Samba4.
> >
> > The issue is that in getting a TGT, we create and sign a PAC.  But the
> > test in pac.c:
> >
> > pac_checksum():819
> >     if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
> > 	krb5_set_error_string(context, "PAC checksum type is not keyed");
> > 	return EINVAL;
> >     }
> >
> > Fails, because crc isn't a keyed checksum.
> >
> > Does windows just blindly create a PAC for these keytypes, or not  
> > send a
> > PAC, or should we just fail more gracefully?
> >
> > For some reason, the error string doens't make it to the client or the
> > logs, just 'invalid argument'.
> 
> I've not looked at what windows does with the pac if the checksum
> isn't an keyed checksum, but having a unkeyed check on the pac
> does seem like a bad idea.

I think windows may simply not issue the PAC, and that's certainly what
we should do.  (But some testing or confirmation here would be useful).
That way, we won't ever be asked to verify it (and if we are, we can
just bail then).

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070507/ededddfe/attachment.bin


More information about the samba-technical mailing list