[krbdev.mit.edu #7646] PAC checksum verification failed with enterprise principals
Sumit Bose via RT
rt-comment at krbdev.mit.edu
Mon May 27 05:18:37 EDT 2013
On Sat, May 25, 2013 at 10:56:28AM -0400, Greg Hudson via RT wrote:
> I think this is as simple as parsing with KRB5_PRINCIPAL_PARSE_ENTERPRISE
> instead of KRB5_PRINCIPAL_PARSE_NO_REALM.
yes, I think this would work, but only on clients where default_realm is
set in /etc/krb5.conf.
>
> I'm a bit puzzled why there is an enterprise principal in a PAC client-
> info buffer, though. I thought enterprise principals were for lookup,
> while a PAC contains a canonical name.
Yes I thought so too. But since the client principal from the Kerberos ticket is
an enterprise principal as well (principal argument to
k5_pac_validate_client is of type KRB5_NT_ENTERPRISE_PRINCIPAL) and the
PAC-CLIENT-INFO buffer should be used to verify that PAC and client of
the ticket matches, I think it makes sense that cname form the
enterprise principal is used here.
bye,
Sumit
More information about the krb5-bugs
mailing list