rd_req.c will try and verify a PAC form a Microsoft W2k3 AD KDC if present, by calling the new pac.c. This tries to vErify the checksums of the PAC.
The checksum of the PAC may be encrypted in the session key, or the server's key depending on f KDC_OPT_ENC_TKT_IN SKEY was set in the ap_req_options. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp Says about the PAC_SERVER_CHECKSUM: "For the server's checksum, the key used to generate the signature should be the same key used to encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the server's TGT should be used. " The code was not checking if this was the case and always using the skey and thus would fail to decrypt PAC_SERVER_CHECKSUM. Suggested fix: --- ,rd_req.c Thu Jan 4 05:27:20 2007 +++ rd_req.c Mon Jan 15 15:44:18 2007 @@ -855,7 +855,8 @@ pac, o->ticket->ticket.authtime, o->ticket->client, - &o->ticket->ticket.key, + (o->ap_req_options & KDC_OPT_ENC_TKT_IN_SKEY) ? + &o->ticket->ticket.key : o->keyblock, NULL); krb5_pac_free(context, pac); if (ret) Love Hörnquist Åstrand wrote:
Hello I've just created a heimdal 0.8-rc3 snapshot. ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.8-rc3.tar.ga ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-0.8-rc3.dmg Basicly what needs to happen before release is fixing (text) error message for GSS-API mech-glue layer and testing on more platforms. Testing is mostly automated and very simple to set up, please read here if you want to contribute. http://www.pdc.kth.se/heimdal/help/#buildfarm Love
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444