[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 0.8.1 w2k interop

Hi,

We've found ourselves in catch 22 situation. There was one thing 
preventing us from upgrading our KDCs from heimdal-0.6.x and that was 
Windows 2000 clients. But now we've got another kind of clients on 
network, namely Thursby's ADmitMac, which unconditionally want to 
perform pre-authentication with encryption type not supported by 
0.6.x :-( Attached patch makes it possible for 0.8.1 KDC to
inter-operate with Windows 2000, yet authenticate newer clients. There
are apparently two things Windows 2000 are allergic to: encryption
types "newer" than ETYPE_DES3_CBC_SHA1 in PA_ENCTYPE_INFO, and
[paradoxically enough] own ETYPE_ARCFOUR_HMAC_MD5 tickets. And that's
basically what we try to address. The patch was tested with Windows
2000, XP, Vista, MIT krb5 1.3.x, whatever found in Solaris 8, not to
mention ADmitMac.

Andy is not subscribed to the list, so please keep him on Cc:. A lot of
thanks in advance.

-- 
Björn Sandell               Chalmers University of Technology
IT Services       www.chalmers.se/its      +46 (0)31 772 1000
No one ever says, 'I can't read that ASCII E-mail you sent me.'

--- ./kdc/kerberos5.c.orig	2007-04-23 18:24:42.000000000 +0200
+++ ./kdc/kerberos5.c	2007-05-29 18:51:32.000000000 +0200
@@ -97,10 +97,21 @@
 {
     int i;
     krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+    int broken_windows;
+
+    /* detect win2k/xp */
+    for (broken_windows = 0, i = 0; i < len; i++) {
+	if (etypes[i] == ETYPE_ARCFOUR_HMAC_OLD) broken_windows = 1;
+    }
 
     for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;
 
+	/* paradoxically enough both w2k and xp are allergic to
+	 * certain rc4_hmac-encrypted tickets returned by kdc */
+	if (broken_windows && etypes[i] == ETYPE_ARCFOUR_HMAC_MD5)
+	    continue;
+
 	if (krb5_enctype_valid(context, etypes[i]) != 0)
 	    continue;
 
@@ -396,6 +407,9 @@
     memset(pa.val, 0, pa.len * sizeof(*pa.val));
 
     for(j = 0; j < etypes_len; j++) {
+	/* as we're constructing legacy structure, filter off
+	 * "new" enctypes to keep w2k happy... */
+	if (etypes[j] > ETYPE_DES3_CBC_SHA1) continue;
 	for (i = 0; i < n; i++)
 	    if (pa.val[i].etype == etypes[j])
 		goto skip1;
@@ -414,6 +428,8 @@
     skip1:;
     }
     for(i = 0; i < client->keys.len; i++) {
+	if (client->keys.val[i].key.keytype > ETYPE_DES3_CBC_SHA1)
+	    continue; /* too new, see above */
 	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j])
 		goto skip2;
@@ -544,6 +560,9 @@
 	case ETYPE_DES3_CBC_SHA1:
 	case ETYPE_ARCFOUR_HMAC_MD5:
 	case ETYPE_ARCFOUR_HMAC_MD5_56:
+	case ETYPE_ARCFOUR_MD4:		/* windows specific */
+	case ETYPE_ARCFOUR_HMAC_OLD:
+	case ETYPE_ARCFOUR_HMAC_OLD_EXP:
 	    break;
 	default:
 	    return 0;
--- ./lib/asn1/k5.asn1.orig	2007-04-23 18:23:53.000000000 +0200
+++ ./lib/asn1/k5.asn1	2007-05-10 17:23:03.000000000 +0200
@@ -134,6 +134,10 @@
 	ETYPE_ARCFOUR_HMAC_MD5(23),
 	ETYPE_ARCFOUR_HMAC_MD5_56(24),
 	ETYPE_ENCTYPE_PK_CROSS(48),
+-- some "old" windows types
+	ETYPE_ARCFOUR_MD4(-128),
+	ETYPE_ARCFOUR_HMAC_OLD(-133),
+	ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
 -- these are for Heimdal internal use
 	ETYPE_DES_CBC_NONE(-0x1000),
 	ETYPE_DES3_CBC_NONE(-0x1001),