configure Kerberos client to always send (timestamp)

swbell kerygma2 at swbell.net
Mon Feb 3 12:49:00 EST 2003 

This is the minimum code to keep Active Directory from putting Failure Audit
stuff in the event long:

    krb5_preauthtype    preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
    krb5_enctype        etypes[] = {ENCTYPE_DES_CBC_MD5};
    memset( outOptions, 0, sizeof(*outOptions) );
    krb5_get_init_creds_opt_init(outOptions);
    krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
    krb5_get_init_creds_opt_set_etype_list( outOptions, etypes,
sizeof(etypes)/sizeof(krb5_enctype) );
    krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth,
sizeof(preauth)/sizeof(krb5_preauthtype) );



in article BA63EBE9.9F84%kerygma2 at swbell.net, swbell at kerygma2 at swbell.net
wrote on 2/3/03 9:50 AM:

> I assume the API that allows this is
>   krb5_get_init_creds_password,
> And the associated krb5_get_init_creds_opt_set_preauth_list.
> 
> Where is there documentation on putting stuff in the preauth list?
> 
> My Active Directory domain controller (Windows 2003) wants three preauth
> types (debug output below):
> 
> salt len=-1; preauth data types: 11 2 15
> etype info 0: etype 3 salt len=17 'KERYGMA.ORGnelson>\xef\xbf\xbd9'
> etype info 1: etype 1 salt len=17 'KERYGMA.ORGnelson'
> 
> It looks like you could always guess that the salt is the realm with the
> username concatenated.
> 
> These correspond to
>   KRB5_PADATA_ETYPE_INFO, KRB5_PADATA_ENC_TIMESTAMP, and 15 is not
> documented (??)
> 
> Anyone know about PADATA type 15?
> 
> in article 87d6m9xwqb.fsf at luminous.mit.edu, Sam Hartman at hartmans at mit.edu
> wrote on 2/3/03 8:28 AM:
> 
>>>>>>> "Wood," == Wood, Justin S <Justin.S.Wood at team.telstra.com> writes:
>>   Wood,> Perhaps I've missed the point, but should it not be
>>   Wood,> possible to configure the client to always send preauth,
>>   Wood,> and hence remove the initial redundant protocol
>>   Wood,> interaction?
>> 
>> I believe that current APIs allow this, but kinit does not currently
>> implement that feature.
>> 
>> In future, it will be less useful as the client will need more
>> information from the KDC to make a correct guess about what preauth or
>> encryption types to use.
>> 
>> So you should not expect to see anyone actually exposing this support
>> in kinit.
>> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> 
> 
>

More information about the Kerberos mailing list