[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal 1.0.1 w2k interop
> There is some new option in the latest version of the W2K3 tools that
> allows you to specifically enable rc4 with non-windows Kerberos. I
> presume you are making use of that, and the problem persists?
The only tool I'm aware of is ktpass that instructs W2K3SP1[!] domain
controller[!] to use rc4 on trust[!] key. I admittedly was not clear
this time, but we have problems with W2KPro[!] unjoined[!]
workstation[!], with Windows integrated Kerberos. Point is that without
proposed patch *nothing* happens on W2KPro. It sends a request, gets
"you should pre-authenticate" reply [with PA_ENCTYPE_INFO2 structure
alone] and just stops there. Once again, because it apparently
requires/expects PA_ENCTYPE_INFO structure and doesn't get one. Even
second problem mentioned in 1st message was occurring long before any
trust magic can happen, w2k (and even xp) client was failing to
pre-authenticate getting first TGT. Cheers. A.
>>> - w2k can parse only PA_ENCTYPE_INFO structure, while heimdal fails
>>> to provide this structure, because it fails to identify w2k as "old"
>>> First issue is still present in 1.0.1, because it fails to identify
>>> legacy Microsoft cryptotypes as "old" ones. Attached patch does the
>>> trick for us [by adding just mentioned cryptotypes to
>>> older_enctype()] and [so far] was tested with w2k, wxp, vista, mit
>>> krb5 and admitmac.