diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-07-01 14:19:56 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-07-01 14:19:56 -0400 |
| commit | 18b02f3e839c007fff54fc9b693f479b7563ec73 (patch) | |
| tree | 61d65744e6be89453f1fb28280a9d446c3c49e5c /src/lib/gssapi | |
| parent | 61078fb49d3cf1e761541d10febeb0f27cdf543c (diff) | |
| download | krb5-18b02f3e839c007fff54fc9b693f479b7563ec73.tar.gz krb5-18b02f3e839c007fff54fc9b693f479b7563ec73.tar.xz krb5-18b02f3e839c007fff54fc9b693f479b7563ec73.zip | |
Try harder to make keytab-based AS requests work
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
ticket: 7190 (new)
Diffstat (limited to 'src/lib/gssapi')
0 files changed, 0 insertions, 0 deletions