[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.1 w2k interop

Good morning,

> There is some new option in the latest version of the W2K3 tools that 
> allows you to specifically enable rc4 with non-windows Kerberos.  I 
> presume you are making use of that, and the problem persists?

The only tool I'm aware of is ktpass that instructs W2K3SP1[!] domain 
controller[!] to use rc4 on trust[!] key. I admittedly was not clear 
this time, but we have problems with W2KPro[!] unjoined[!] 
workstation[!], with Windows integrated Kerberos. Point is that without 
proposed patch *nothing* happens on W2KPro. It sends a request, gets 
"you should pre-authenticate" reply [with PA_ENCTYPE_INFO2 structure 
alone] and just stops there. Once again, because it apparently 
requires/expects PA_ENCTYPE_INFO structure and doesn't get one. Even 
second problem mentioned in 1st message was occurring long before any 
trust magic can happen, w2k (and even xp) client was failing to 
pre-authenticate getting first TGT. Cheers. A.

>>> - w2k can parse only PA_ENCTYPE_INFO structure, while heimdal fails 
>>> to provide this structure, because it fails to identify w2k as "old" 
>>> client;
>>> First issue is still present in 1.0.1, because it fails to identify 
>>> legacy Microsoft cryptotypes as "old" ones. Attached patch does the 
>>> trick for us [by adding just mentioned cryptotypes to 
>>> older_enctype()] and [so far] was tested with w2k, wxp, vista, mit 
>>> krb5 and admitmac.