a59bb7132f
This is part of the fix to #173. MSFT RODCs insist on the name type for krbtgt principals be set to KRB5_NT_SRV_INST. Commentary from Jeffrey Altman <jaltman@secure-endpoints.com> As reported by David Mulder of Dell's Quest, Active Directory will return a BAD_INTEGRITY error when a request for a krbtgt service ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST as required by RFC 4120. [Nico: RFC4120 does not require this. See the description of the name-type field of PrincipalName on page 55.] ERROR: VAS_ERR_KRB5: Failed to obtain credentials. Client: SLED10-32$@F.QAS, Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed Microsoft began enforcing principal type checking for RODCs in 2008R2. Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL. From Microsoft: "I believe we discovered the problem. There isn't a bug in Windows. There's been a code change to address another issue which puts in additional checks for Kerberos tickets. The problem is with the Unix clients when the client request a TGT. The Unix clients are using Name-type Principal [KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance [KRB_NT_SRV_INST (2)]...." This change assigns the NT-SRV-INST principal type each time a krbtgt service principal is created. Unlike Microsoft, the Heimdal mostly does not care about the name-type of any principals, with the exception of referrals, where the name type is needed to decide how to find a next-hop realm.
Heimdal is a Kerberos 5 implementation. For information how to install see <http://www.h5l.org/compile.html>. There are briefer man pages for most of the commands. Bug reports and bugs are appreciated, see more under Bug reports in the manual on how we prefer them: <heimdal-bugs@h5l.org>. For more information see the web-page at <http://www.h5l.org/> or the mailing lists: heimdal-announce@sics.se low-volume announcement heimdal-discuss@sics.se high-volume discussion send a mail to heimdal-announce-request@sics.se and heimdal-discuss-request@sics.se respectively to subscribe.