kerberos error: PAC checksum type is not keyed

Andrew Bartlett abartlet at samba.org
Tue Nov 2 20:53:22 MDT 2010


On Tue, 2010-11-02 at 10:55 -0400, Aaron Solochek wrote:
> On 11/02/2010 07:19 AM, Andrew Bartlett wrote:
> > On Wed, 2010-10-27 at 15:39 +1100, Andrew Bartlett wrote:
> >> On Wed, 2010-10-27 at 11:05 +1100, Andrew Bartlett wrote:
> >>> On Thu, 2010-10-21 at 08:17 +1100, Andrew Bartlett wrote:
> >>>> On Wed, 2010-10-20 at 10:22 -0400, Aaron Solochek wrote:
> >>>>> I'm getting ever closer to having nfs4 working with the samba4 kdc.  Currently I
> >>>>> seem to be blocking on the error "PAC checksum type is not keyed" which is
> >>>>> generated by the kdc when nfs sends a PA-TGS-REQ for nfs/foo.bar.com.
> >>>>>
> >>>>> >From googling, it seemed to be related to the des-cbc-crc enctype, so I set
> >>>>>
> >>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
> >>>>>
> >>>>> in krb5.conf on both client and server.
> >>>>>
> >>>>>
> >>>>> Then the problem changes slightly.  With that option set, the client first
> >>>>> requests nfs/foo.bar.com with enctypes "rc4-hmac des-cbc-md5", and that
> >>>>> succeeds, but immediately following that the client sends the exact same
> >>>>> request, only this time the enctypes are back to "des-cbc-crc des-cbc-md5
> >>>>> des-cbc-md4" and it fails again with PAC checksum error.
> >>>>>
> >>>>>
> >>>>> So it seems that I have 2 bugs.
> >>>>>
> >>>>> 1) PAC checksum bug
> >>>>>
> >>>>> 2) kerberos client (libraries or nfs4?) bug that causes the second request
> >>>>> ignoring the enctypes specified in krb5.conf.
> >>>>>
> >>>>>
> >>>>> What can I do about #1?
> >>>>
> >>>> Someone needs to confirm what Windows does here.  The PAC security
> >>>> relies on the checksum being keyed, so my gut feeling is to omit the
> >>>> checksum in this case.  We need to determine if this is security issue
> >>>> with Windows, or there is some other protection, or Windows omits it.
> >>>> (This should not be relevant for NFSv4, which should never need to use
> >>>> DES, but is important for AFS clients).
> >>>
> >>> I've now looked into the windows behaviour, which is documented here:
> >>> http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
> >>>
> >>> The problem is that when different crypto-systems are used (Example 2),
> >>> Heimdal objects because the keys involved are not the right type or
> >>> length.  I'm working with upstream Heimdal to find out if we can get a
> >>> better API for this, plus a way to handle the crazy windows behaviour
> >>> exception noted there. 
> >>
> >> Attached is my patch for testing.  
> > 
> > A more complete and correct fix is in the autobuild queue, and should be
> > available in master shortly.
> > 
> > Andrew Bartlett
> > 
> 
> I've been trying to rebuild the debian packages with this patch for testing, but
> that package has lots of build issues at the moment.  I think I'm getting close
> to getting it to build, and once I do I'll report back about how it works for me.

Please try with current master.  The new patch is much more elaborate
than the one I posted here. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101103/ba43c775/attachment.pgp>


More information about the samba-technical mailing list