Hello,
configuration
-------------
client: MIT Kerberos 1.9.1 on Solaris-10
KDC: Windows 2003 domain controller
Using the supplied t_s4u.c test program, S4U2Self fails with
KRB5KRB_AP_ERR_MODIFIED (41). The TGS_REQ uses a checksum of type
CKSUMTYPE_RSA_MD5_DES(8) in the PA-S4U2SELF(129) field. However, if I
apply this patch to force CKSUMTYPE_CRC32(1) instead:
--------------------------------------------------------------------------------
--- src/lib/krb5/krb/s4u_creds.c.orig 2010-04-22 23:29:40.000000000 +0000
+++ src/lib/krb5/krb/s4u_creds.c 2011-05-12 23:55:48.504446000 +0000
@@ -181,7 +181,7 @@
return code;
}
- code = krb5_c_make_checksum(context, cksumtype, key,
+ code = krb5_c_make_checksum(context, CKSUMTYPE_CRC32, key,
KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
cksum);
--------------------------------------------------------------------------------
... then the S4U2Self request succeeds. I thought to do this because I
already had it working with Heimdal, and it uses the CRC checksum.
I have attached network traces of the failing and working transactions.
The principal impersonator/[email protected] is authorized on the Windows
KDC for constrained delegation with protocol transition; this transaction
asks for a S4U2Self ticket issued to [email protected] for
impersonator/[email protected].
Thanks,
- Richard Silverman
[email protected]________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
