kerberos error: PAC checksum type is not keyed

Wed Oct 20 15:17:27 MDT 2010

On Wed, 2010-10-20 at 10:22 -0400, Aaron Solochek wrote:
> I'm getting ever closer to having nfs4 working with the samba4 kdc.  Currently I
> seem to be blocking on the error "PAC checksum type is not keyed" which is
> generated by the kdc when nfs sends a PA-TGS-REQ for nfs/foo.bar.com.
> 
> >From googling, it seemed to be related to the des-cbc-crc enctype, so I set
> 
> default_tkt_enctypes = rc4-hmac des-cbc-md5
> 
> in krb5.conf on both client and server.
> 
> 
> Then the problem changes slightly.  With that option set, the client first
> requests nfs/foo.bar.com with enctypes "rc4-hmac des-cbc-md5", and that
> succeeds, but immediately following that the client sends the exact same
> request, only this time the enctypes are back to "des-cbc-crc des-cbc-md5
> des-cbc-md4" and it fails again with PAC checksum error.
> 
> 
> So it seems that I have 2 bugs.
> 
> 1) PAC checksum bug
> 
> 2) kerberos client (libraries or nfs4?) bug that causes the second request
> ignoring the enctypes specified in krb5.conf.
> 
> 
> What can I do about #1?

Someone needs to confirm what Windows does here.  The PAC security
relies on the checksum being keyed, so my gut feeling is to omit the
checksum in this case.  We need to determine if this is security issue
with Windows, or there is some other protection, or Windows omits it.
(This should not be relevant for NFSv4, which should never need to use
DES, but is important for AFS clients).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101021/d81a900f/attachment.pgp>