preauth mechanism functioning at the client-side

Gopal Paliwal gopalpaliwal at
Mon Aug 13 15:01:13 EDT 2007

thanks for suggestions for using negative number.
It seems to be a right idea to use -ve value till it starts working

But, one of my question remains unanswerred.
why client even after getting hint type-32 and even when i make it a
preferred_preauth_type still picks up type-2 for requesting to AS with
preauth data filled. ?

>From where it takes type-2 as a default value?

Also, is client capable of sending 2-preauth values back to the kerberos
server in AS_REQ?

client gives me error like "Looping detected in krb5_get_in_tkt" when I do
not send type-2 in hint from server to client and just send type-32 instead
of it.

let me know.


On 8/13/07, Marcus Watts <mdw at> wrote:
> > Date:    Mon, 13 Aug 2007 10:57:59 PDT
> > To:      "Tim Alsop" <Tim.Alsop at>,
> jaltman at
> > cc:      krbdev at
> > From:    "Gopal Paliwal" <gopalpaliwal at>
> > Subject: Re: preauth mechanism functioning at the client-side
> >
> > Hi,
> > Thanks for the reply.
> > Currently the number 32 which I assigned for the new-preauth type is'nt
> > having conflict with the existing ones as I did go thru RFC's & relevant
> > code for this change.
> The advice you got ("to use an unused number") is not quite accurate.
> Here is the relevant text from RFC 4120:
> "   padata-type
> "      Indicates the way that the padata-value element is to be
> "      interpreted.  Negative values of padata-type are reserved for
> "      unregistered use; non-negative values are used for a registered
> "      interpretation of the element type.
> "
> Any negative number is free for your experimental use.  At your stage of
> development, this is probably precisely the right answer.  Once you have
> something that works, then a positive number may be appropriate.  If
> you want to share or deploy your implementation outside of your
> organization,
> you should acquire a positive (registered) number.  If you want to use a
> positive number, you need to ask that it be assigned to you.  In theory,
> you should just have to ask to get a number; in practice, you will get
> a better reception if you have a public document that describes how
> you intend to use that number such that others can write interoperating
> implementations--ideally, an RFC draft.  In this particular case, you may
> also want to say why you can't instead extend pa-sam-challenge/response.
> I believe most of the existing data structures in MIT kerberos should
> accept
> negative pa types just fine.  You should probably avoid using -1 since MIT
> likes to use that as a "wildcard" value in certain contexts.
>                                -Marcus Watts

More information about the krbdev mailing list