[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.8.1 w2k interop



> We've found ourselves in catch 22 situation. There was one thing
> preventing us from upgrading our KDCs from heimdal-0.6.x and that was
> Windows 2000 clients. But now we've got another kind of clients on
> network, namely Thursby's ADmitMac, which unconditionally want to
> perform pre-authentication with encryption type not supported by
> 0.6.x :-( Attached patch makes it possible for 0.8.1 KDC to
> inter-operate with Windows 2000, yet authenticate newer clients. There
> are apparently two things Windows 2000 are allergic to: encryption
> types "newer" than ETYPE_DES3_CBC_SHA1 in PA_ENCTYPE_INFO, and
> [paradoxically enough] own ETYPE_ARCFOUR_HMAC_MD5 tickets. And that's
> basically what we try to address. The patch was tested with Windows
> 2000, XP, Vista, MIT krb5 1.3.x, whatever found in Solaris 8, not to
> mention ADmitMac.

So basicly sending anything other then

ETYPE_DES_CBC_CRC
ETYPE_DES_CBC_MD4
ETYPE_DES_CBC_MD5
ETYPE_DES3_CBC_SHA1
ETYPE_ARCFOUR_HMAC_MD5
ETYPE_ARCFOUR_HMAC_MD5_56

In etype-info pa is a bad idea ?

I sure ETYPE_ARCFOUR_HMAC_MD5 works with XP just fine.

What part of ADmitMac will take a password ?

Love