[krbdev.mit.edu #7791] S4U2Self fails with Windows 2008
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Dec 5 12:33:47 EST 2013
I can reproduce this by breaking FAST recognition in the MIT KDC. We also
have a report that it fails with Heimdal, which is FAST-unaware.
When we encode the FAST TGS request, we move the S4U2Self padata into the
FAST inner body. A FAST-unaware KDC only sees the outer body and
interprets the request as a regular TGS request, and issues a ticket for
server -> server. gc_via_tkt.c detects this at line 269 and bombs out
with a locally generated KRB5KDC_ERR_PADATA_TYPE_NOSUPP.
I have asked Sam for advice on the best fix.
More information about the krb5-bugs
mailing list