[16287] in Kerberos_V5_Development
Re: wrong checksum type for arcfour-hmac-md5
daemon@ATHENA.MIT.EDU (Stefan (metze) Metzmacher)
Wed Sep 15 11:47:37 2010
Message-ID: <4C90EA91.3030407@samba.org>
Date: Wed, 15 Sep 2010 17:47:29 +0200
From: "Stefan (metze) Metzmacher" <metze@samba.org>
MIME-Version: 1.0
To: Luke Howard <lhoward@mit.edu>
In-Reply-To: <B5C9161B-116D-4F8F-8574-7D8DF67CC99F@mit.edu>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: multipart/mixed; boundary="===============1589017243=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1589017243==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig76C9FE380E008F57C13C36F6"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig76C9FE380E008F57C13C36F6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi Luke,
>> I found that MIT kerberos uses the wrong (not the same as windows and
>> heimdal)
>> checksum for arcfour-hmac-md5.
>=20
> I would be cautious about changing the default checksum type for rc4-hm=
ac in etypes.c. RFC 4757 is pretty clear that the mandatory checksum type=
is CKSUMTYPE_HMAC_MD5_ARCFOUR.
But windows doesn't use it...
See the following capture in frame 145.
http://samba.org/~metze/ads/w2k3-107-becomes-w2k3-dc.cap
http://samba.org/~metze/ads/w2k3-107.keytab
http://samba.org/~metze/ads/w2k3-107-becomes-w2k3-dc.cap-frame-145.png
> Can you point me to where in the GSS-API RFCs and/or Windows protocol d=
ocuments it specifies *not* sending a 0x8003 as part of the AP-REQ in a K=
erberos InitialContextToken? I don't believe Windows clients ever do this=
? Samba is taking advantage of the fact that Windows servers are liberal =
acceptors but this isn't specified anywhere to my knowledge (OK, I haven'=
t looked).
>=20
> I would suggest instead your self-made GSSAPI use krb5_auth_con_set_req=
_cksumtype() to force the checksum type you want.
This should be used directly before the krb5_mk_req_extended()?
here http://gitweb.samba.org/?p=3Dcifs-utils.git;a=3Dblob;f=3Dcifs.upcall=
=2Ec
metze
--------------enig76C9FE380E008F57C13C36F6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyQ6pEACgkQm70gjA5TCD/i4wCfbeY/tBIruYs1W3BCuGeminNn
7P8An0Ezpo5ZdYlgt1P2DweqH2XFUzq/
=Q2/I
-----END PGP SIGNATURE-----
--------------enig76C9FE380E008F57C13C36F6--
--===============1589017243==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============1589017243==--
