[OpenAFS] klog.krb5 incompatible with Heimdal 1.5.1?

Andreas Haupt ahaupt@ifh.de
Thu, 13 Oct 2011 16:33:58 +0200 

Hi Jeffrey,

On Thu, 2011-10-13 at 10:24 -0400, Jeffrey Altman wrote:
> The difference in the two cases is that -tmp is requesting a TGT first
> whereas without -tmp the afs@IFH.DE request is being issued directly.
> In the non -tmp case the KDC replies with a ticket encrypted using
> aes256-cts-hmac-sha1-96 which is not supported for AFS.

Hmm, but it looks the same on the Heimdal 1.2.1 KDC (where klog.krb5
works without problems). For completeness here the log of the 1.2.1 KDC
when the client issues 'klog.krb5':

Oct 13 16:27:24 hekate kdc[9671]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs/ifh.de@IFH.DE
Oct 13 16:27:24 hekate kdc[9671]: UNKNOWN -- afs/ifh.de@IFH.DE: No such entry in the database
Oct 13 16:27:24 hekate kdc[9671]: sending 112 bytes to IPv4:141.34.2.11
Oct 13 16:27:24 hekate kdc[9671]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs@IFH.DE
Oct 13 16:27:24 hekate kdc[9671]: Client sent patypes: 149
Oct 13 16:27:24 hekate kdc[9671]: Looking for PKINIT pa-data -- ahaupt@IFH.DE
Oct 13 16:27:24 hekate kdc[9671]: Looking for ENC-TS pa-data -- ahaupt@IFH.DE
Oct 13 16:27:24 hekate kdc[9671]: No preauth found, returning PREAUTH-REQUIRED -- ahaupt@IFH.DE
Oct 13 16:27:24 hekate kdc[9671]: sending 307 bytes to IPv4:141.34.2.11
Oct 13 16:27:26 hekate kdc[9671]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs@IFH.DE
Oct 13 16:27:26 hekate kdc[9671]: Client sent patypes: encrypted-timestamp, 149
Oct 13 16:27:26 hekate kdc[9671]: Looking for PKINIT pa-data -- ahaupt@IFH.DE
Oct 13 16:27:26 hekate kdc[9671]: Looking for ENC-TS pa-data -- ahaupt@IFH.DE
Oct 13 16:27:26 hekate kdc[9671]: ENC-TS Pre-authentication succeeded -- ahaupt@IFH.DE using aes256-cts-hmac-sha1-96
Oct 13 16:27:26 hekate kdc[9671]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4
Oct 13 16:27:26 hekate kdc[9671]: Using aes256-cts-hmac-sha1-96/des-cbc-md5
Oct 13 16:27:26 hekate kdc[9671]: Requested flags: renewable, forwardable
Oct 13 16:27:26 hekate kdc[9671]: AS-REQ authtime: 2011-10-13T16:27:26 starttime: unset endtime: 2011-10-14T17:27:24 renew till: 2011-11-12T15:27:24
Oct 13 16:27:26 hekate kdc[9671]: sending 631 bytes to IPv4:141.34.2.11

The encryption types sent out to the client are the same
(aes256-cts-hmac-sha1-96/des-cbc-md5), aren't they?

> This could be either a bug in klog.krb5 or in Heimdal.  I haven't looked
> at any code yet.  In the non -tmp case either klog.krb5 is not
> requesting des-cbc-crc or Heimdal is forgetting that request when
> responding to the pre-auth request.

Thanks,
Andreas
-- 
| Andreas Haupt             | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216