bug report: S4U2Self Solaris-10 -> Windows-2003 fails with CKSUMTYPE_RSA_MD5_DES(8) checksum

Richard Silverman res at qoxp.net
Thu May 12 20:07:05 EDT 2011


Hello,

configuration
-------------
   client: MIT Kerberos 1.9.1 on Solaris-10
      KDC: Windows 2003 domain controller


Using the supplied t_s4u.c test program, S4U2Self fails with
KRB5KRB_AP_ERR_MODIFIED (41).  The TGS_REQ uses a checksum of type
CKSUMTYPE_RSA_MD5_DES(8) in the PA-S4U2SELF(129) field.  However, if I
apply this patch to force CKSUMTYPE_CRC32(1) instead:

--------------------------------------------------------------------------------
--- src/lib/krb5/krb/s4u_creds.c.orig   2010-04-22 23:29:40.000000000 +0000
+++ src/lib/krb5/krb/s4u_creds.c        2011-05-12 23:55:48.504446000 +0000
@@ -181,7 +181,7 @@
          return code;
      }

-    code = krb5_c_make_checksum(context, cksumtype, key,
+    code = krb5_c_make_checksum(context, CKSUMTYPE_CRC32, key,
                                  KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
                                  cksum);
--------------------------------------------------------------------------------

... then the S4U2Self request succeeds.  I thought to do this because I
already had it working with Heimdal, and it uses the CRC checksum.

I have attached network traces of the failing and working transactions.
The principal impersonator/dportal at DESHAW.COM is authorized on the Windows
KDC for constrained delegation with protocol transition; this transaction
asks for a S4U2Self ticket issued to res at DESHAW.COM for
impersonator/dportal at DESHAW.COM.

Thanks,

- Richard Silverman
   res at qoxp.net


More information about the Kerberos mailing list