[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.8.1 w2k interop

On Jun 13, 2007, at 7:57 PM, Love Hörnquist Åstrand wrote:

>> We've found ourselves in catch 22 situation. There was one thing
>> preventing us from upgrading our KDCs from heimdal-0.6.x and that was
>> Windows 2000 clients. But now we've got another kind of clients on
>> network, namely Thursby's ADmitMac, which unconditionally want to
>> perform pre-authentication with encryption type not supported by
>> 0.6.x :-( Attached patch makes it possible for 0.8.1 KDC to
>> inter-operate with Windows 2000, yet authenticate newer clients.  
>> There
>> are apparently two things Windows 2000 are allergic to: encryption
>> types "newer" than ETYPE_DES3_CBC_SHA1 in PA_ENCTYPE_INFO, and
>> [paradoxically enough] own ETYPE_ARCFOUR_HMAC_MD5 tickets. And that's
>> basically what we try to address. The patch was tested with Windows
>> 2000, XP, Vista, MIT krb5 1.3.x, whatever found in Solaris 8, not to
>> mention ADmitMac.
> So basicly sending anything other then
> In etype-info pa is a bad idea ?
> I sure ETYPE_ARCFOUR_HMAC_MD5 works with XP just fine.
> What part of ADmitMac will take a password ?
> Love

I'm likewise sure that ETYPE_ARCFOUR_HMAC_MD5 is a native enctype for  
W2K, so it *shouldn't* be a problem.  Doesn't mean it isn't a  
actually problem, but it shouldn't.