interesting problem...

Neulinger, Nathan nneul at
Mon Mar 17 11:17:31 EST 2003

Maybe something along these lines (which doesn't work btw, I haven't dug
into it very much yet.)

	     krb5_free_data(context, enc_part);
	     if ((ret = handle_masq_v4(context, v5tkt,
					 (struct sockaddr_in *) &saddr,
&tktdata, &v4kvno)) != 0)
		 goto error;


 * We support two  kinds of v4 credentials.  There are real v4
 *   credentials, and  a Kerberos v5 enc part masquerading as a krb4
 *  credential to be used by modern AFS implementations; this function
 *  handles the masqueraded case. It throws away authorization data so
 *  this scheme will function with ADS servers that do large auth data
 *  the service tickets.

static krb5_error_code
handle_masq_v4 (krb5_context context, krb5_ticket *v5tkt,
		   struct sockaddr_in *saddr,
		   krb5_data *tktdata, krb5_kvno *v4kvno)
    krb5_error_code ret;
    krb5_keyblock v5_service_key;
     KTEXT_ST v4tkt;
    void *authdata;
	krb5_data *enc_part;
	   KTEXT_ST fake_v4tkt;

    v5_service_key.contents = NULL;
             if ((ret = lookup_service_key(context, v5tkt->server,
				   &v5_service_key, NULL)))
	  goto error;

     if (debug)
	  printf("service key retrieved\n");
     if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt)))
       goto error;

     if (debug)
	  printf("ticket decrypted\n");

	authdata = v5tkt->enc_part2->authorization_data;
	v5tkt->enc_part2->authorization_data = NULL;

     if (debug)
	  printf("auth data disabled\n");

     if ((ret = krb5_encrypt_tkt_part(context, &v5_service_key, v5tkt)))
       goto error;

     if (debug)
	  printf("ticket re-encrypted\n");

	v5tkt->enc_part2->authorization_data = authdata;

     if (debug)
	  printf("auth data restored\n");

	 if ((ret = encode_krb5_enc_data( &v5tkt->enc_part, &enc_part))
!= 0) 
	     goto error;

	if (debug) printf("encoded enc_part");

	if (debug) printf("enc_part->length == %d\n", enc_part->length);
	   fake_v4tkt.mbz = 0;
	   fake_v4tkt.length = enc_part->length;
	   memcpy(fake_v4tkt.dat, enc_part->data, enc_part->length);
	     *v4kvno = (0x100-0x2b); /*protocol constant indicating  v5
				     * enc part only*/
	     krb5_free_data(context, enc_part);
	     ret = encode_v4tkt(&fake_v4tkt, tktdata->data,

     if (v5tkt->enc_part2)
	 krb5_free_enc_tkt_part(context, v5tkt->enc_part2);

       krb5_free_keyblock_contents(context, &v5_service_key);

     return ret;

Nathan Neulinger                       EMail:  nneul at
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

> -----Original Message-----
> From: Neulinger, Nathan 
> Sent: Monday, March 17, 2003 9:49 AM
> To: 'Sam Hartman'
> Cc: Uetrecht, Daniel J.
> Subject: interesting problem...
> I just started looking at the updated krb5 support and 
> krb524d, and it won't use it cause enc_part->length is 833 
> bytes for my test user (or in my own userid's case 1769 bytes).
> We're running against microsoft ADS, so I assume it's because 
> of the authorization data crud in the ticket for group 
> membership/etc. 
> I'm guessing I may need to do something like decrypt the 
> ticket, throw away the data I don't need, and then try the 
> length check and new-style response again...
> Any suggestions?
> -- Nathan
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul at
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216

More information about the krbdev mailing list