Hi, >From a little expedition this morning comparing interoperability with MIT and Heimdal GSSAPI tools, it seems that support for new tokens hasn't been applied correctly with respect to RFC 4121.
A Heimdal snapshot from earlier today incorrectly did not treat des3-cbc-sha1(enctype 7) as a "not newer" enctype, while Kerberos 1.6 treats des-cbc-md4 (enctype 2) as new and thus happily passes a valid tok_id 0101 token to be parsed as a new-style (0404) token... where it fails. This bug is not present in MIT 1.8. So, for those having interoperability issues especially between Heimdal clients and MIT 1.6 servers, you may need to patch krb5_gss_accept_sec_context on your server. Fair warning. -- Derrick ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
