Disabling PA-REQ-ENC-PA-REP (149) preauth?

Aleksander Adamowski krb5 at olo.org.pl
Sat Jan 14 16:19:28 EST 2012

On Sat, Jan 14, 2012 at 19:18, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/14/2012 10:04 AM, Aleksander Adamowski wrote:
>> Is there a way to disable this behaviour in libkrb5?
> KDC implementations must ignore unrecognized padata fields.  This
> requirement is a fundamental basis of krb5 protocol extensibility; there
> is really no way implementations can work around or accomodate a failure
> to do so.

OK, understood. I've rechecked the logs and it turns out I've
misinterpreted the messages.
The warning that has mislead me was logged during the decoding of the
padata ASN.1 unit:
decoded but there are still bytes in the buffer

But it turns out that it's harmless and occurs on other occasions.

The actual cause for the error was a lack of common encryption types
between client and server.

ApacheDS's KDC by default only handles des-cbc-md5 (3), while libkrb5
asks for either of: aes256-cts-hmac-sha1-96 (18),
aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23).

Now I have to figure out how to get ApacheDS to support one of those...

Best Regards,
  Aleksander Adamowski

More information about the krbdev mailing list