[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.8.1 w2k interop

To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: heimdal 0.8.1 w2k interop
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 13 Jun 2007 22:10:13 -0700
Cc: Björn Sandell <biorn@chalmers.se>, Andy Polyakov <appro@fy.chalmers.se>
In-Reply-To: <08528F1E-D570-40B4-9A2B-63C5C10AD94A@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20070613071450.26cf4d0c.biorn@chalmers.se> <08528F1E-D570-40B4-9A2B-63C5C10AD94A@kth.se>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Jun 13, 2007, at 7:57 PM, Love Hörnquist Åstrand wrote:

>> We've found ourselves in catch 22 situation. There was one thing
>> preventing us from upgrading our KDCs from heimdal-0.6.x and that was
>> Windows 2000 clients. But now we've got another kind of clients on
>> network, namely Thursby's ADmitMac, which unconditionally want to
>> perform pre-authentication with encryption type not supported by
>> 0.6.x :-( Attached patch makes it possible for 0.8.1 KDC to
>> inter-operate with Windows 2000, yet authenticate newer clients.  
>> There
>> are apparently two things Windows 2000 are allergic to: encryption
>> types "newer" than ETYPE_DES3_CBC_SHA1 in PA_ENCTYPE_INFO, and
>> [paradoxically enough] own ETYPE_ARCFOUR_HMAC_MD5 tickets. And that's
>> basically what we try to address. The patch was tested with Windows
>> 2000, XP, Vista, MIT krb5 1.3.x, whatever found in Solaris 8, not to
>> mention ADmitMac.
>
> So basicly sending anything other then
>
> ETYPE_DES_CBC_CRC
> ETYPE_DES_CBC_MD4
> ETYPE_DES_CBC_MD5
> ETYPE_DES3_CBC_SHA1
> ETYPE_ARCFOUR_HMAC_MD5
> ETYPE_ARCFOUR_HMAC_MD5_56
>
> In etype-info pa is a bad idea ?
>
> I sure ETYPE_ARCFOUR_HMAC_MD5 works with XP just fine.
>
> What part of ADmitMac will take a password ?
>
> Love

I'm likewise sure that ETYPE_ARCFOUR_HMAC_MD5 is a native enctype for  
W2K, so it *shouldn't* be a problem.  Doesn't mean it isn't a  
actually problem, but it shouldn't.

References:
- heimdal 0.8.1 w2k interop
  - From: Björn Sandell <biorn@chalmers.se>
- Re: heimdal 0.8.1 w2k interop
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: heimdal 0.8.1 w2k interop
Next by Date: Re: bswap16{32} problem
Prev by thread: Re: heimdal 0.8.1 w2k interop
Next by thread: Invite from Sergey Lapin (slapinid@gmail.com)
Index(es):
- Date
- Thread