Elrond <[EMAIL PROTECTED]> writes: > On Tue, Apr 25, 2006 at 07:53:00PM +0200, Elrond wrote: > [...] >> > This could be the problem, from your earlier logs, I think your >> > current kvno is 2. It seems shishi hard code the authenticator >> > checksum kvno to 1, which is bad. I've fixed this in CVS, and I think >> > the daily Debian packages has it. Could you re-try? >> >> Ahhh. >> >> Yes, my heimdal keys have kvno > 1 sometimes, too. >> >> Okay, will retry soon. > > Okay. > > Bad news: It did not help. > Good news: The kvno isn't anymore in the TGS-REQ.
Thanks for testing! > Okay, here's a quick list, what I can see: > > 1) The name-type issue still isn't fixed. (unknown/0, but > should be Prinicpal/1) Yup, let's treat that as the next likely problem. > 2) shishi has a sub-key and sequence number in the TGS-REQ. > heimdal doesn't. (no idea, if that is good or not.) These are likely next candidates, although they shouldn't cause problems. However, Heimdal handle TGS-REQ with subkey's incorrectly, so it isn't unlikely that w3k3 does something even worse. The seq-number shouldn't cause problems, but we could try removing it, it really shouldn't be there. > 3) I'm starting to get the feeling, that something on my > box is somewhat mixed up. I'm not so sure -- let's try to make the ASN.1 packets as similar as possible first, to rule out any of those problems. We have three items above to deal with first. > a) If I find the time, I will compile it on another box > with access to the w2k3-kdc. > b) Do I have a realistic chance to verify checksums by > "hand"? Setting it to md5 in crypto-rc4 would be my > first step, so that I would "only" need to run md5 on > some parts of the packet. Shouldn't be too hard, the checksum is computed over the DER encoding of the req-body in the KDC-REQ. There is a XXX nit in shishi_ap_set_tktoptionsasn1usage() which you could watch out for. > What next? I'll try to fix the name-type issue first. Thanks, Simon _______________________________________________ Help-shishi mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-shishi
