configure Kerberos client to always send (timestamp)
swbell
kerygma2 at swbell.net
Mon Feb 3 10:50:33 EST 2003
I assume the API that allows this is
krb5_get_init_creds_password,
And the associated krb5_get_init_creds_opt_set_preauth_list.
Where is there documentation on putting stuff in the preauth list?
My Active Directory domain controller (Windows 2003) wants three preauth
types (debug output below):
salt len=-1; preauth data types: 11 2 15
etype info 0: etype 3 salt len=17 'KERYGMA.ORGnelson>\xef\xbf\xbd9'
etype info 1: etype 1 salt len=17 'KERYGMA.ORGnelson'
It looks like you could always guess that the salt is the realm with the
username concatenated.
These correspond to
KRB5_PADATA_ETYPE_INFO, KRB5_PADATA_ENC_TIMESTAMP, and 15 is not
documented (??)
Anyone know about PADATA type 15?
in article 87d6m9xwqb.fsf at luminous.mit.edu, Sam Hartman at hartmans at mit.edu
wrote on 2/3/03 8:28 AM:
>>>>>> "Wood," == Wood, Justin S <Justin.S.Wood at team.telstra.com> writes:
> Wood,> Perhaps I've missed the point, but should it not be
> Wood,> possible to configure the client to always send preauth,
> Wood,> and hence remove the initial redundant protocol
> Wood,> interaction?
>
> I believe that current APIs allow this, but kinit does not currently
> implement that feature.
>
> In future, it will be less useful as the client will need more
> information from the KDC to make a correct guess about what preauth or
> encryption types to use.
>
> So you should not expect to see anyone actually exposing this support
> in kinit.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list