[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.1 w2k interop

> Some time this summer we have reported interoperability issues  
> between heimdal 0.8.1 and w2k. The problem was two-fold:
> - w2k can parse only PA_ENCTYPE_INFO structure, while heimdal fails  
> to provide this structure, because it fails to identify w2k as  
> "old" client;
> - w2k (and even xp) seem to have hard-coded limitation for  
> cryptotypes when it's not talking to AD controller, most notably it  
> refuses/fails to use rc4_hmac for pre-authentication against  
> heimdal/mit kdc;
> First issue is still present in 1.0.1, because it fails to identify  
> legacy Microsoft cryptotypes as "old" ones. Attached patch does the  
> trick for us [by adding just mentioned cryptotypes to older_enctype 
> ()] and [so far] was tested with w2k, wxp, vista, mit krb5 and  
> admitmac.

Maybe all enctypes with lower numbers the aes should be considered  
"old". Anyway, added your patch.

> Second issue disappeared in 1.0.1. Apparently because of changed  
> order of appearance of supported cryptotypes in PA_ENCTYPE_INFO[2]  
> reply. I mean 0.8.1 was ordering supported ones in same order as  
> they were appearing in client's KDC_REQ, most notably with rc4_hmac  
> first. 1.0.1 on the other hand seem to return cypher types with des- 
> cbc-md5 first and w2k manages to successfully get TGT and proceed  
> further. Cheers. A.

Does an joined windows machine pick up "better" enctypes then des  
when its sent in ETYPE_INFO ?