[33378] in Kerberos
bug report: S4U2Self Solaris-10 -> Windows-2003 fails with
daemon@ATHENA.MIT.EDU (Richard Silverman)
Thu May 12 20:07:13 2011
Date: Thu, 12 May 2011 20:07:05 -0400 (EDT)
From: Richard Silverman <res@qoxp.net>
To: MIT Kerberos <kerberos@mit.edu>
Message-ID: <alpine.DEB.1.10.1105121947470.22892@seraph.oankali.net>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
BOUNDARY="164749037-1143576646-1305245226=:22892"
Errors-To: kerberos-bounces@mit.edu
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--164749037-1143576646-1305245226=:22892
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Hello,
configuration
-------------
client: MIT Kerberos 1.9.1 on Solaris-10
KDC: Windows 2003 domain controller
Using the supplied t_s4u.c test program, S4U2Self fails with
KRB5KRB_AP_ERR_MODIFIED (41). The TGS_REQ uses a checksum of type
CKSUMTYPE_RSA_MD5_DES(8) in the PA-S4U2SELF(129) field. However, if I
apply this patch to force CKSUMTYPE_CRC32(1) instead:
--------------------------------------------------------------------------------
--- src/lib/krb5/krb/s4u_creds.c.orig 2010-04-22 23:29:40.000000000 +0000
+++ src/lib/krb5/krb/s4u_creds.c 2011-05-12 23:55:48.504446000 +0000
@@ -181,7 +181,7 @@
return code;
}
- code = krb5_c_make_checksum(context, cksumtype, key,
+ code = krb5_c_make_checksum(context, CKSUMTYPE_CRC32, key,
KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
cksum);
--------------------------------------------------------------------------------
... then the S4U2Self request succeeds. I thought to do this because I
already had it working with Heimdal, and it uses the CRC checksum.
I have attached network traces of the failing and working transactions.
The principal impersonator/dportal@DESHAW.COM is authorized on the Windows
KDC for constrained delegation with protocol transition; this transaction
asks for a S4U2Self ticket issued to res@DESHAW.COM for
impersonator/dportal@DESHAW.COM.
Thanks,
- Richard Silverman
res@qoxp.net
--164749037-1143576646-1305245226=:22892
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--164749037-1143576646-1305245226=:22892--
