[krbdev.mit.edu #6490] [Russ Allbery] Bug#528729: libkrb5-3: cannot obtain cross-realm tickets with Windows 2003 AD
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon May 18 16:44:54 EDT 2009
Findings so far, if I'm interpreting this all correctly:
1. It's probably a bug in the TGS path with rc4 keys against AD, not an
issue retrieving or storing the cross TGTs.
2. The immediate problem arises from using a keyed checksum in the TGS
request. Something about the way we are doing that causes AD to fail
the integrity check.
3. If we go back to using an unkeyed checksum (as we did in 1.6), we run
into a second problem: we get a reply back from AD that we can't
decrypt, even with the workaround of r22325. That problem dates back to
when we started using subkeys in TGS requests.
Sam can now reproduce at least the immediate problem against WIN.MIT.EDU.
More information about the krb5-bugs
mailing list