Omit PA_FOR_USER when HMAC_MD5 isn't available
Isaac Boukris
iboukris at gmail.com
Sat Jun 6 05:33:31 EDT 2020
Hi Simo,
Following our discussion about [1], I believe we can just ignore the
error when building PA_FOR_USER, and it will still work fine against
modern Windows and MIT KDCs. I've just tested forcing removal of the
padata and tested that it works against Windows. See wip:
https://github.com/krb5/krb5/pull/1080
Another way to go about it, could be to use the checksum of the TGT
instead of HMAC_MD5 in case of failure. Although it is not according
to the "spec", it happens to work fine everywhere (Windows, MIT and
Heimdal KDCs), and that's in fact what the Heimdal client does.
I wonder if I can make the use of HMAC_MD5 to fail via krb5.conf, to
use it for the test.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1838628
More information about the krbdev
mailing list