[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.1 w2k interop

To: heimdal-discuss@sics.se, Andy Polyakov <appro@fy.chalmers.se>
Subject: Re: heimdal 1.0.1 w2k interop
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Thu, 18 Oct 2007 20:33:04 +0200
In-Reply-To: <4714E5AF.2060805@fy.chalmers.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <4714E5AF.2060805@fy.chalmers.se>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

> Some time this summer we have reported interoperability issues  
> between heimdal 0.8.1 and w2k. The problem was two-fold:
>
> - w2k can parse only PA_ENCTYPE_INFO structure, while heimdal fails  
> to provide this structure, because it fails to identify w2k as  
> "old" client;
> - w2k (and even xp) seem to have hard-coded limitation for  
> cryptotypes when it's not talking to AD controller, most notably it  
> refuses/fails to use rc4_hmac for pre-authentication against  
> heimdal/mit kdc;
>
> First issue is still present in 1.0.1, because it fails to identify  
> legacy Microsoft cryptotypes as "old" ones. Attached patch does the  
> trick for us [by adding just mentioned cryptotypes to older_enctype 
> ()] and [so far] was tested with w2k, wxp, vista, mit krb5 and  
> admitmac.

Maybe all enctypes with lower numbers the aes should be considered  
"old". Anyway, added your patch.

> Second issue disappeared in 1.0.1. Apparently because of changed  
> order of appearance of supported cryptotypes in PA_ENCTYPE_INFO[2]  
> reply. I mean 0.8.1 was ordering supported ones in same order as  
> they were appearing in client's KDC_REQ, most notably with rc4_hmac  
> first. 1.0.1 on the other hand seem to return cypher types with des- 
> cbc-md5 first and w2k manages to successfully get TGT and proceed  
> further. Cheers. A.

Does an joined windows machine pick up "better" enctypes then des  
when its sent in ETYPE_INFO ?

Love

Follow-Ups:
- Re: heimdal 1.0.1 w2k interop
  - From: Andy Polyakov <appro@fy.chalmers.se>

References:
- heimdal 1.0.1 w2k interop
  - From: Andy Polyakov <appro@fy.chalmers.se>

Prev by Date: Re: Setting DNS Servers Manually?
Next by Date: Re: Setting DNS Servers Manually?
Prev by thread: Re: heimdal 1.0.1 w2k interop
Next by thread: Re: heimdal 1.0.1 w2k interop
Index(es):
- Date
- Thread