Disabling PA-REQ-ENC-PA-REP (149) preauth?
krb5 at olo.org.pl
Sat Jan 14 16:19:28 EST 2012
On Sat, Jan 14, 2012 at 19:18, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/14/2012 10:04 AM, Aleksander Adamowski wrote:
>> Is there a way to disable this behaviour in libkrb5?
> KDC implementations must ignore unrecognized padata fields. This
> requirement is a fundamental basis of krb5 protocol extensibility; there
> is really no way implementations can work around or accomodate a failure
> to do so.
OK, understood. I've rechecked the logs and it turns out I've
misinterpreted the messages.
The warning that has mislead me was logged during the decoding of the
padata ASN.1 unit:
ERR_00043_REMAINING_BYTES_FOR_DECODED_PDU The PDU has been fully
decoded but there are still bytes in the buffer
But it turns out that it's harmless and occurs on other occasions.
The actual cause for the error was a lack of common encryption types
between client and server.
ApacheDS's KDC by default only handles des-cbc-md5 (3), while libkrb5
asks for either of: aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23).
Now I have to figure out how to get ApacheDS to support one of those...
More information about the krbdev