message size incompatible with type error for krb5-1.9 lib using Windows 2003 KDC
Douglas E. Engert
deengert at anl.gov
Wed Feb 16 14:20:29 EST 2011
On 2/16/2011 12:06 PM, Elzey, Blaine A (Blaine) wrote:
> Using adsiedit to manually modify the UserAccountControl Integer to include the NO_AUTH_DATA_REQUIRED bit (2097664 + 33554432 = 35652096) and that did not work. Perhaps my Win2003SP2 still needs some Hotfix, but my dll versions are newer than the what is specified in the article. The Hotfix download page said the release was Windows 2003 SP1 (x86), but I have 2003 SP2 (x86). The UserAccountControl value that works is 6291968, set no preauth for user from account properties. Is there another way to set the NO_AUTH_DATA_REQ other than adsiedit or did I need to perform some refresh to make the adsiedit change take affect? I am reluctant to apply the Hotfix.
>
That is 0x2200200.
You also have the USE_DES_KEY_ONLY bit (0x200000) turned on, so the Windows DC will
assume the machine can only do DES. So that may be why the PAC signature
is using DES.
How did you setup the keytab for the server? ktpass I presume.
You could look at using AES and/or arcfour for the service keys,
rather the DES.
>> From the Hotfix KB:
> Date Time Version Size File name
> -------------------------------------------------------
> 14-Sep-2004 16:26 5.2.3790.210 226,816 Kdcsvc.dll
> 14-Sep-2004 16:26 5.2.3790.210 324,608 Netapi32.dll
> 14-Sep-2004 16:26 5.2.3790.210 464,384 Samsrv.dll
>
> I have:
> kdcsvc.dll 5.2.3790.3959
> netapi32.dll 5.2.3790.3959
> samsrv.dll 5.3.3790.3959
>
> Blaine
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list