wrong checksum type for arcfour-hmac-md5
Stefan (metze) Metzmacher
metze at samba.org
Wed Sep 15 11:47:29 EDT 2010
Hi Luke,
>> I found that MIT kerberos uses the wrong (not the same as windows and
>> heimdal)
>> checksum for arcfour-hmac-md5.
>
> I would be cautious about changing the default checksum type for rc4-hmac in etypes.c. RFC 4757 is pretty clear that the mandatory checksum type is CKSUMTYPE_HMAC_MD5_ARCFOUR.
But windows doesn't use it...
See the following capture in frame 145.
http://samba.org/~metze/ads/w2k3-107-becomes-w2k3-dc.cap
http://samba.org/~metze/ads/w2k3-107.keytab
http://samba.org/~metze/ads/w2k3-107-becomes-w2k3-dc.cap-frame-145.png
> Can you point me to where in the GSS-API RFCs and/or Windows protocol documents it specifies *not* sending a 0x8003 as part of the AP-REQ in a Kerberos InitialContextToken? I don't believe Windows clients ever do this? Samba is taking advantage of the fact that Windows servers are liberal acceptors but this isn't specified anywhere to my knowledge (OK, I haven't looked).
>
> I would suggest instead your self-made GSSAPI use krb5_auth_con_set_req_cksumtype() to force the checksum type you want.
This should be used directly before the krb5_mk_req_extended()?
here http://gitweb.samba.org/?p=cifs-utils.git;a=blob;f=cifs.upcall.c
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20100915/84e5e0c8/attachment.bin
More information about the krbdev
mailing list