Bug 15273 - Heimdal KDC should only announce PA-Types it supports
Summary: Heimdal KDC should only announce PA-Types it supports
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-29 10:30 UTC by Stefan Metzmacher
Modified: 2023-08-02 21:18 UTC (History)
1 user (show)

See Also:

Attachments
4.17 patches (has to go via lorikeet-heimdal and samba master first) (3.24 KB, patch)
2022-12-30 12:43 UTC, Stefan Metzmacher 		no flags Details
4.16 patches (has to go via lorikeet-heimdal and samba master first) (3.24 KB, text/plain)
2022-12-30 12:43 UTC, Stefan Metzmacher 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-12-29 10:30:56 UTC 
The heimdal KDC announces support for KRB5_PADATA_FX_FAST, KRB5_PADATA_PKINIT_KX
and KRB5_PADATA_GSS, even if they are later rejected/ignored.

It means in Samba KRB5_PADATA_FX_FAST is announce in the PREAUTH-REQUIRED response, even if 'kdc enable fast = no' is configured.
Comment 1 Stefan Metzmacher 2022-12-30 12:43:15 UTC 
Created attachment 17714 [details]
4.17 patches (has to go via lorikeet-heimdal and samba master first)
Comment 2 Stefan Metzmacher 2022-12-30 12:43:42 UTC 
Created attachment 17715 [details]
4.16 patches (has to go via lorikeet-heimdal and samba master first)
Comment 3 Andrew Bartlett 2023-08-02 21:18:48 UTC 
This was addressed with updates to Heimdal for Samba 4.19.