clock skew and preauth
Chris Hecker
checker at d6.com
Tue Mar 20 19:53:15 EDT 2012
> I think the error message you're seeing is from the encrypted
> timestamp preauth, not the FAST encrypted challenge preauth. Are you
> doing anything that would trigger FAST?
I don't know enough to answer that question. When I break in
process_as_req, the request->padata is 149 the first time through, and
then 2, 133, and 149 the second time through. 138
(KRB5_PADATA_ENCRYPTED_CHALLENGE) doesn't show up there, yet gdb says
the .so is loaded, and I can set breakpoints in it (that don't get hit).
There's no error in the krb5kdc.log for it (there is a log entry for
pkinit preauth, for example, which I don't use and haven't set up).
Does the fact that it doesn't show up in request->padata mean I'm not
setting it right on the client side or something?
Chris
On 2012/03/20 16:19, Tom Yu wrote:
> Chris Hecker <checker at d6.com> writes:
>
>> Also, the encrypted_challenge_main.c file does check this:
>>
>> if (labs(now-ts->patimestamp) < context->clockskew) {
>>
>> and gives the KRB5KRB_AP_ERR_SKEW error, which is the same check the
>> timestamp preauth does, so I don't see how it could work. But, I'm
>> having trouble getting gdb to break there, so I'm not sure it's getting
>> called.
>
> I think the error message you're seeing is from the encrypted
> timestamp preauth, not the FAST encrypted challenge preauth. Are you
> doing anything that would trigger FAST?
>
More information about the Kerberos
mailing list