[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue with PAC and des-cbc-crc


I've been chasing down the issue raised on samba-technical, where kinit
from Heimdal 0.6.3 does not pass against Samba4.

The issue is that in getting a TGT, we create and sign a PAC.  But the
test in pac.c:

    if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
	krb5_set_error_string(context, "PAC checksum type is not keyed");
	return EINVAL;

Fails, because crc isn't a keyed checksum.  

Does windows just blindly create a PAC for these keytypes, or not send a
PAC, or should we just fail more gracefully?

For some reason, the error string doens't make it to the client or the
logs, just 'invalid argument'.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part