[krbdev.mit.edu #7791] S4U2Self fails with Windows 2008
Sumit Bose via RT
rt-comment at krbdev.mit.edu
Thu Dec 5 12:52:58 EST 2013
On Thu, Dec 05, 2013 at 12:33:47PM -0500, Greg Hudson via RT wrote:
> I can reproduce this by breaking FAST recognition in the MIT KDC. We also
> have a report that it fails with Heimdal, which is FAST-unaware.
>
> When we encode the FAST TGS request, we move the S4U2Self padata into the
> FAST inner body. A FAST-unaware KDC only sees the outer body and
> interprets the request as a regular TGS request, and issues a ticket for
> server -> server. gc_via_tkt.c detects this at line 269 and bombs out
> with a locally generated KRB5KDC_ERR_PADATA_TYPE_NOSUPP.
Thank you for looking into this. I checked with wireshark and can
confirm that with Windows 2008 I see exactly what you described above.
bye,
Sumit
>
> I have asked Sam for advice on the best fix.
More information about the krb5-bugs
mailing list