Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) From: ghudson@mit.edu Subject: git commit Content-Length: 1429 Add pac_privsvr_enctype string attribute The KDC uses the first local TGT key for the privsvr and full PAC checksums. If this key is of an aes-sha2 enctype in a cross-realm TGT, a Microsoft KDC in the target realm may reject the ticket because it has an unexpectedly large privsvr checksum buffer. This behavior is unnecessarily picky as the target realm KDC cannot and does not need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the checksum key to three specific enctypes. As a workaround, add a string attribute which can force the privsvr key to use a specified enctype using key derivation when issuing tickets to that principal. This attribute can be set on cross-realm TGT entries when the target realm uses Active Directory and the local TGT uses an aes-sha2 primary key. https://github.com/krb5/krb5/commit/5af907156f8f502bbe268f0c62274f88a61261e4 Author: Greg Hudson Commit: 5af907156f8f502bbe268f0c62274f88a61261e4 Branch: master doc/admin/admin_commands/kadmin_local.rst | 9 ++++ src/include/kdb.h | 1 + src/kdc/do_tgs_req.c | 6 +-- src/kdc/kdc_authdata.c | 7 ++- src/kdc/kdc_util.c | 72 +++++++++++++++++++++++++++---- src/kdc/kdc_util.h | 6 ++- src/tests/t_authdata.py | 19 +++++++- 7 files changed, 105 insertions(+), 15 deletions(-)