Windows 2000 KDC interoperability
abm at firefly-consulting.co.uk
Tue Dec 10 11:43:01 EST 2002
After spending much of the last year working on a project for a major
investment bank to integrate Kerberos V5 on unix with new Windows 2000
domain controllers/KDC's, I've come across (and provided internal patches)
for various incompatablities, with invaluable help from John Brezak and
colleagues at Microsoft including:
"Error 52". The Win2K KDC reports this error as meaning "data too large for
UDP, Use TCP". Upon switching to TCP, the data stream begins with a 32 bit
number in network byte order that specifies how much data to receive.
"Disable PAC data transfer". There is an ASN.1 sequence that instructs the
KDC not to send Windows 2000 SID information in the PAC field of tickets.
This causes tickets to be very large (some users in the organisation may
have hundreds of windows group memberships - I have seen tickets in excess
of 30kbytes returned from the KDC) when present and causes numerous buffer
overflow problems in various MIT software, telnetd being a good example - I
posted a temporary fix for this on the bugs list during the lifecycle of
v1.2.4, and implemented a 'dirty hack' in the get initial ticket routines
coupled with an extra flag in the structure used by
krb5_get_init_creds_opt_init() structure to turn this on/off
I would suggest that ticket/network ring buffers should make no assumptions
about the amount of data they may be expected to receive and libraries and
applications should be coded appropriately.
Also, applications that are compiled specifically for Windows can check a
registry value to get the expected token size, see
Is there any plan to implement any of the above, and if so, which release
can we expect it?
More information about the krbdev