Nicolas Williams a59bb7132f When building a princ name pick a sane def type
This is part of the fix to #173.  MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.

Commentary from Jeffrey Altman <jaltman@secure-endpoints.com>

As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.

[Nico: RFC4120 does not require this.  See the description of the
       name-type field of PrincipalName on page 55.]

  ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
  Client: SLED10-32$@F.QAS,
  Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
  Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed

Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.

From Microsoft:

  "I believe we discovered the problem. There isn't a bug in Windows.
  There's been a code change to address another issue which puts in additional
  checks for Kerberos tickets. The problem is with the Unix clients when the
  client request a TGT. The Unix clients are using Name-type Principal
  [KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
  [KRB_NT_SRV_INST (2)]...."

This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created.  Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
2016-11-14 21:29:47 -06:00
2016-11-14 17:02:02 -05:00
2016-11-14 14:34:43 -05:00
2016-04-15 00:16:16 -05:00
2016-11-14 16:02:43 -05:00
2014-04-25 02:42:17 +02:00
2016-10-19 15:32:39 -04:00
2016-11-14 14:19:58 -05:00
2016-11-14 14:34:43 -05:00
2004-02-12 14:19:16 +00:00
2016-01-21 12:43:31 -06:00
2000-06-07 10:01:25 +00:00
2002-08-21 13:29:08 +00:00
2016-11-14 16:02:43 -05:00
2014-08-23 19:14:10 -07:00
2014-02-01 22:04:10 +00:00
2016-04-15 00:26:08 -05:00
2016-01-21 12:43:31 -06:00
2009-09-27 18:26:54 -07:00
2011-07-24 22:45:55 -07:00
2010-01-05 19:21:45 +01:00

Heimdal is a Kerberos 5 implementation.

For information how to install see <http://www.h5l.org/compile.html>.

There are briefer man pages for most of the commands.

Bug reports and bugs are appreciated, see more under Bug reports in
the manual on how we prefer them: <heimdal-bugs@h5l.org>.

For more information see the web-page at
<http://www.h5l.org/> or the mailing lists:

heimdal-announce@sics.se	low-volume announcement
heimdal-discuss@sics.se		high-volume discussion

send a mail to heimdal-announce-request@sics.se and
heimdal-discuss-request@sics.se respectively to subscribe.
Languages
C 92.1%
Roff 2.8%
Shell 2.3%
Makefile 0.7%
M4 0.5%
Other 1.4%