In the TGS_REQ packet, KDC_REQ_BODY is missing
Surendra Babu
surendra06 at gmail.com
Mon Apr 3 10:36:12 EDT 2006
Hi Team,
Thank you for your information. Thaks a lot for your guidance. COuld you
please let me know your thoughts on ..How TGS_REQ packet generation happens,
What steps should be followed? In my TGS_REQ packet, KDC_REQ_BODY fileds are
missing.
Please find attached my capture file. Please have a look at the TGS_REQ
packet. It is saying that short frame. (I am using TCP and working with MIT
code and UNIX KDC.) In that packet, KDC_REQ_BODY is missing and giving the
probelm from there onwards.
Could you please throw some light on this issue?
I followed the beloew mentioned steps to form the TGS_REQ packet. Please let
me know if I miss something.
============================================================
krb5_error_code *krb5_FormTGSReq*(krb5_kdc_req *tgs_req, krb5_context
context)
{
krb5_data *scratch=NULL;
krb5_checksum checksum;
krb5_authenticator authent;
krb5_timestamp tgt_exptime;
krb5_error_code retval, iRet;
char server_name[500] = {0, };
* // copy the TGT Expiration time to tmp variable
* tgt_exptime = kdc_server_time+36000; //as_reply->enc_part2->
times.endtime;
*//Fillup the tgs_req fields*
tgs_req->magic = KV5M_KDC_REQ;
tgs_req->msg_type = KRB5_TGS_REQ;
tgs_req->kdc_options = KDC_OPT_RENEWABLE_OK;
tgs_req->client = NULL; // Optional
//Assign the SMTP Server principal name
sprintf(ServiceName, "%s@%s","host/dpdniclin1.sisodomain.com",
auth_user_data.realm_domain);
iRet = krb5_parse_name(context,ServiceName,&(tgs_req->server));
if(iRet != NULL)
{
return -1;
}
tgs_req->from = NULL; // Optional
tgs_req->till = tgt_exptime; //Till the tgt expiration time
tgs_req->rtime = NULL;
tgs_req->nonce = rand(); //put some no for testing purpose -Gopi
if(krb5_make_clientaddr(&(tgs_req->addresses)) != KERB_SUCCESS)
{
DEBUG_KERB_PRINT("[kerberos_formTgsReq] Client Addr Failed");
return KERB_FAILURE;
}
tgs_req->unenc_authdata = NULL; // Optional
tgs_req->second_ticket = NULL; // Optional
tgs_req->ktype = (krb5_enctype *) malloc(sizeof(get_in_tkt_enctypes));
memcpy(tgs_req->ktype,get_in_tkt_enctypes,sizeof(get_in_tkt_enctypes));
*//filling up with Encryption types suported*
tgs_req->nktypes = (sizeof(get_in_tkt_enctypes)/sizeof(krb5_enctype));
* // Encode the TGS-REQ body into scratch to calculate checksum
* retval = encode_krb5_kdc_req_body(tgs_req,&scratch);
if(retval)
{
if(scratch)
krb5_free_data(NULL, scratch);
return KERB_FAILURE;
}
* // Calculate the Checksum using the scratch
* if ((retval = krb5_c_make_checksum(NULL, CKSUMTYPE_RSA_MD5,
as_reply->enc_part2->session,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
scratch, &checksum)))
{
free(checksum.contents);
if(scratch)
krb5_free_data(NULL, scratch);
return(KERB_FAILURE);
}
// DO the clean Up here
if(scratch)
krb5_free_data(NULL,scratch);
*//Form the PA Data.*
if(KERB_SUCCESS != Form_PAData(&(tgs_req->padata),&checksum, context))
{
free(checksum.contents);
return KERB_FAILURE;
}
return KERB_SUCCESS;
}
=========================================================
With the above client code, I could generate the PA_DATA in the TGS_REQ
packet but I could not generate the KDC_REQ_BODY fileds, though I filled up
the tgs_req fields.
If you look at the second attached network capture, it shows the correct
TGS_REQ packet. It contains the KDC_REQ_BODY fileds also. This is taken from
MS-windows client code. BUt with my client code's TGS_REQ packet,
KDC_REQ_BODY fileds are missing.
Could you please let me know your thoughts after going through the attached
network capture.
Appreciate your thoughts. Thank you.
-Surendra
More information about the Kerberos
mailing list