[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heimdal 1.0.1 w2k interop


Some time this summer we have reported interoperability issues between 
heimdal 0.8.1 and w2k. The problem was two-fold:

- w2k can parse only PA_ENCTYPE_INFO structure, while heimdal fails to 
provide this structure, because it fails to identify w2k as "old" client;
- w2k (and even xp) seem to have hard-coded limitation for cryptotypes 
when it's not talking to AD controller, most notably it refuses/fails to 
use rc4_hmac for pre-authentication against heimdal/mit kdc;

First issue is still present in 1.0.1, because it fails to identify 
legacy Microsoft cryptotypes as "old" ones. Attached patch does the 
trick for us [by adding just mentioned cryptotypes to older_enctype()] 
and [so far] was tested with w2k, wxp, vista, mit krb5 and admitmac.

Second issue disappeared in 1.0.1. Apparently because of changed order 
of appearance of supported cryptotypes in PA_ENCTYPE_INFO[2] reply. I 
mean 0.8.1 was ordering supported ones in same order as they were 
appearing in client's KDC_REQ, most notably with rc4_hmac first. 1.0.1 
on the other hand seem to return cypher types with des-cbc-md5 first and 
w2k manages to successfully get TGT and proceed further. Cheers. A.