Hi, Trying to aquire a TGT without the necessary password, ccache or keytab entry will result in an AS-REQ with an empty padata field. I'm not talking about the initial requrest with *null* padata. This is a second request with a padata SEQUENCE that is simply empty:
$ dumpasn1 /tmp/out.bin 0 169: [APPLICATION 10] { 3 166: SEQUENCE { 6 3: [1] { 8 1: INTEGER 5 : } 11 3: [2] { 13 1: INTEGER 10 : } 16 2: [3] { 18 0: SEQUENCE {} <--- "empty" padata : } 20 149: [4] { 23 146: SEQUENCE { 26 7: [0] { 28 5: BIT STRING... This happends because lib/krb5/get_in_tkt.c:add_padata ignores errors returned by key_proc. I think it would be more appropriate to check to make sure that padata was successfully added with something like the following patch: diff -Naur get_in_tkt.c.0 get_in_tkt.c --- get_in_tkt.c.0 2007-02-07 20:53:58.000000000 -0500 +++ get_in_tkt.c 2007-02-07 20:55:50.000000000 -0500 @@ -391,6 +391,7 @@ } md->val = pa2; + ret = KRB5_KT_NOTFOUND; for (i = 0; i < netypes; ++i) { krb5_keyblock *key; @@ -406,7 +407,7 @@ } if(salt == &salt2) krb5_free_salt(context, salt2); - return 0; + return md->len ? 0 : ret; } static krb5_error_code @@ -548,6 +549,8 @@ } } } + if (ret) + return ret; } else /* not sure this is the way to use `ptypes' */ if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE) Note that this will change the error reported from KRB5KDC_ERR_PREAUTH_REQUIRED to KRB5_KT_NOTFOUND so one must also consider any logic that might depend on this error condition. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/