KBR_ERROR definition

Marcus Watts mdw at umich.edu
Mon Jul 17 15:05:48 EDT 2006


Joseph Kuan <joe.kuan at itheon.com> writes:
> Hi,
> 
>   Just by inspecting a KRB_ERROR packet, how can I tell this is the 
> error response of AS_REQ or TGS_REG apart from knowing the application 
> number of previous packet?
> 
> Many thanks
> Joe

I don't believe you can.  MIT & Heimdal code create sockets with "wild"
abandon - ensuring that each request (& perhaps its retries) go over a
unique socket.  That's how they pair up the error response with the
request.   The multiple sockets is because they're mainly concerned
with identifying which connection and server caused the error, not
which request.  You might be able to make a *guess* as to what sort of
request generated a krb5_error packet based on the error code and
whether and what client and server were returned, but some kinds of
error returns won't return those even if you thought you supplied
them.

Just out of curiosity, why would you be sending both an AS-REQ and a
TGS-REQ over the same socket at the same time in the first place?

				-Marcus Watts



More information about the Kerberos mailing list