[krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata

[DEEngert@anl.gov via RT]

Tom Yu via RT wrote:
> 
> >>>>> "DEEngert" == DEEngert at anl gov via RT <rt-comment at krbdev.mit.edu> writes:
> 
> DEEngert> to a 1.2.8 KDC, I can get it to fail if the user principal has
> DEEngert> the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works.
> 
> DEEngert> Have you tried this combination?
> 
> DEEngert> kinit output:
> 
> DEEngert> orleans.ctd.anl.gov% kinit -m b17783 at KRB5.ANL.GOV
> DEEngert> kinit(v5): Preauthentication failed while getting initial credentials
> 
> DEEngert> KDC log:
> 
> DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0
> DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783 at KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV at KRB5.ANL.GOV, Preauthentication failed
> 
> I think the code is functioning as I expect it to, in this case.

No.

> After all, you require preauth, and you didn't provide any preauth
> that it understood.  Or are you saying that it should ask for
> additional preauth rather than returning "preauth failed"?

Yes, on the first AS-REQ the client does not know what preauth if any 
is required. So it justs sends the PA-PAC-REQUEST. It has to do this on
the first request, as preauth may not be needed. 

If preauth is not required the KDC ignores the PA-PAC-REQUEST and it works.   

If preauth is required, a krb-error SHOULD be sent saying which preauths can be used. 

I thing the KDC code sees some preauth data, (PA-PAC-REQEUST) but not any it
can use, and assumes that this must be a second AS-REQ request and it assumes it
has already sent the client a krb-error with the list of preauths. 

So the KDC sends the failed message, and never sends the list or required preauths. 
 

> 
> ---Tom

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444