Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27]) by krbdev.mit.edu (8.9.3p2) with ESMTP id SAA20604; Wed, 11 Feb 2004 18:30:33 -0500 (EST) Received: from hermes.ctd.anl.gov (localhost [127.0.0.1]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id RAA22652 for ; Wed, 11 Feb 2004 17:30:02 -0600 (CST) Received: from anl.gov (atalanta.ctd.anl.gov [146.137.194.4]) by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id RAA22624; Wed, 11 Feb 2004 17:30:01 -0600 (CST) Message-Id: <402ABB1A.10E4A29D@anl.gov> Date: Wed, 11 Feb 2004 17:30:34 -0600 From: "Douglas E. Engert" X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: rt-comment@krbdev.mit.edu Cc: hartmans@mit.edu, krb5-prs@mit.edu Subject: Re: [krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1936 Tom Yu via RT wrote: > > >>>>> "DEEngert" == DEEngert@anl gov via RT writes: > > DEEngert> to a 1.2.8 KDC, I can get it to fail if the user principal has > DEEngert> the REQUIRE_PRE_AUTH attribute. When it is not set the kinit works. > > DEEngert> Have you tried this combination? > > DEEngert> kinit output: > > DEEngert> orleans.ctd.anl.gov% kinit -m b17783@KRB5.ANL.GOV > DEEngert> kinit(v5): Preauthentication failed while getting initial credentials > > DEEngert> KDC log: > > DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: no valid preauth type found: Unknown code 0 > DEEngert> Feb 11 15:18:48 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {1 3 16 23}) 146.137.180.252(88): PREAUTH_FAILED: b17783@KRB5.ANL.GOV for krbtgt/KRB5.ANL.GOV@KRB5.ANL.GOV, Preauthentication failed > > I think the code is functioning as I expect it to, in this case. No. > After all, you require preauth, and you didn't provide any preauth > that it understood. Or are you saying that it should ask for > additional preauth rather than returning "preauth failed"? Yes, on the first AS-REQ the client does not know what preauth if any is required. So it justs sends the PA-PAC-REQUEST. It has to do this on the first request, as preauth may not be needed. If preauth is not required the KDC ignores the PA-PAC-REQUEST and it works. If preauth is required, a krb-error SHOULD be sent saying which preauths can be used. I thing the KDC code sees some preauth data, (PA-PAC-REQEUST) but not any it can use, and assumes that this must be a second AS-REQ request and it assumes it has already sent the client a krb-error with the list of preauths. So the KDC sends the failed message, and never sends the list or required preauths. > > ---Tom -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444