[6064] in Kerberos
Using Kerberos V5 Client with DCE'ssecd via UDP port 88
daemon@ATHENA.MIT.EDU (V.Sander)
Mon Oct 30 05:13:31 1995
To: kerberos@MIT.EDU
Date: 30 Oct 1995 08:00:16 GMT
From: zdv123@zam092.zam.kfa-juelich.de (V.Sander)
Hi,
I have a problem with the interoperability of the Kerberos V5 Library
(Implementation Beta_5.0: krb5.src.B5.tar.Z) with AIX4s DCE
(the old one, based on DCE 1.0).
I installed Kerberos on Solaris 2.4 by using the configure script and tried
to use a self developped application with AIX4s secd.
The idea of the application is to get a TGT which is forwardable, proxiable,
allow_postdated and renewable (i.e. 0x54800000). This TGT is submitted
to a server which should handle further ticket requests for the user.
Calling krb5_get_in_tkt_with_password() I receive an error that
the requested options cannot be fullfilled by the kerberos server
(the routine works if I do not specify any ticket options or if I connect
to a native kerberos realm).
Looking to other Kerveros V5 implementations (Beta_1 V0 which in fact
is difficult to install under Solaris 2.4) I recognized,
that the file lib/asn.1/cvt_flags.c converts the flags by a
transformation table swbits[flag-byte].
Using the same transformation table for decoding my KDC_OPTIONS
(i.e. the new submitted options are 0x2a010000) I receive a TGT.
The problem is that this TGT has some strange options.
Without using swbits I see 0x00000200,
with swbits the options are 0x00004000.
Everything else seems to work. Running klist indicates an existing
TGT with correct expiration-date.
Does anyone have some information about the asn.1-decoding mechanism
used by the OSF for KDC-tickets?
Please email any suggestions and ideas to v.sander@kfa-juelich.de
Many thanks, Volker
By the way:
There is a bug in krb5_rd_cred_basic()! The krb5_data pdata structure should
NOT be freed! It is used by pcur->ticket!!!!
