bug report: S4U2Self Solaris-10 -> Windows-2003 fails with CKSUMTYPE_RSA_MD5_DES(8) checksum
Richard Silverman
res at qoxp.net
Thu May 12 20:07:05 EDT 2011
Hello,
configuration
-------------
client: MIT Kerberos 1.9.1 on Solaris-10
KDC: Windows 2003 domain controller
Using the supplied t_s4u.c test program, S4U2Self fails with
KRB5KRB_AP_ERR_MODIFIED (41). The TGS_REQ uses a checksum of type
CKSUMTYPE_RSA_MD5_DES(8) in the PA-S4U2SELF(129) field. However, if I
apply this patch to force CKSUMTYPE_CRC32(1) instead:
--------------------------------------------------------------------------------
--- src/lib/krb5/krb/s4u_creds.c.orig 2010-04-22 23:29:40.000000000 +0000
+++ src/lib/krb5/krb/s4u_creds.c 2011-05-12 23:55:48.504446000 +0000
@@ -181,7 +181,7 @@
return code;
}
- code = krb5_c_make_checksum(context, cksumtype, key,
+ code = krb5_c_make_checksum(context, CKSUMTYPE_CRC32, key,
KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
cksum);
--------------------------------------------------------------------------------
... then the S4U2Self request succeeds. I thought to do this because I
already had it working with Heimdal, and it uses the CRC checksum.
I have attached network traces of the failing and working transactions.
The principal impersonator/dportal at DESHAW.COM is authorized on the Windows
KDC for constrained delegation with protocol transition; this transaction
asks for a S4U2Self ticket issued to res at DESHAW.COM for
impersonator/dportal at DESHAW.COM.
Thanks,
- Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list