wrong checksum type for arcfour-hmac-md5
Sam Hartman
hartmans at MIT.EDU
Wed Sep 15 13:35:03 EDT 2010
>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
Greg> On Wed, 2010-09-15 at 12:15 -0400, Luke Howard wrote:
>> The trace simo attached showed unkeyed checksum in a tgs req,
>> IIRC
Greg> Yes, but that's not directly to the failure case. We have no
Greg> reason to believe that a tgs-req with an hmac-md5
Greg> authenticator checksum will be rejected by AD.
My current thinking on this is that the bug is in Samba. Based on the
evidence so far I don't support this change. Having the mandatory
checksum for an enctype be unkeyed is problematic for a number of things
including FAST, PKINIT, the securID stuff I'm working on and the OTP
preauth under last call in krb-wg.
More information about the krbdev
mailing list