Omit PA_FOR_USER when HMAC_MD5 isn't available

Isaac Boukris iboukris at
Sat Jun 6 05:33:31 EDT 2020

Hi Simo,

Following our discussion about [1], I believe we can just ignore the
error when building PA_FOR_USER, and it will still work fine against
modern Windows and MIT KDCs. I've just tested forcing removal of the
padata and tested that it works against Windows. See wip:

Another way to go about it, could be to use the checksum of the TGT
instead of HMAC_MD5 in case of failure. Although it is not according
to the "spec", it happens to work fine everywhere (Windows, MIT and
Heimdal KDCs), and that's in fact what the Heimdal client does.

I wonder if I can make the use of HMAC_MD5 to fail via krb5.conf, to
use it for the test.


More information about the krbdev mailing list