-8.3. Protocol constants and associated values as of December 19, 1993
+8.3. Protocol constants and associated values
The following tables list constants used in the protocol and defines
their meanings.
des-cbc-crc 1 8 4 8
des-cbc-md4 2 8 0 8
des-cbc-md5 3 8 0 8
+<reserved> 4
-------------------------------+-------------------+-------------
Checksum type |sumtype value |checksum size
PA-TGS-REQ 1
PA-ENC-TIMESTAMP 2
PA-PW-SALT 3
-PA-DATA-SESAME 4
+<reserved> 4
+PA-ENC-UNIX-TIME 5
+PA-SANDIA-SECUREID 6
+PA-SESAME 7
+PA-OSF-DCE 8
+PA-CYBERSAFE-SECUREID 9
-------------------------------+-------------
authorization data type |ad-type value
-------------------------------+-------------
reserved values 0-63
-OSF-DCE 64
-SESAME 65
+AD-OSF-DCE 64
+AD-SESAME 65
-------------------------------+-----------------
alternate authentication type |method-type value
KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL
KRB_SAFE 20 Safe (checksummed) application message
KRB_PRIV 21 Private (encrypted) application message
-KRB_CRED 22 Private (encrypted) message to forward
- credentials
+KRB_CRED 22 Private (encrypted) message to forward credentials
KRB_ERROR 30 Error response
name types
KRB_NT_UNKNOWN 0 Name type not known
-KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or
- for users
+KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users
KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt)
-KRB_NT_SRV_HST 3 Service with host name as instance (telnet,
- rcommands)
+KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands)
KRB_NT_SRV_XHST 4 Service with host as remaining components
KRB_NT_UID 5 Unique ID
error codes
KDC_ERR_NONE 0 No error
-KDC_ERR_NAME_EXP 1 Client's entry in database has
- expired
-KDC_ERR_SERVICE_EXP 2 Server's entry in database has
- expired
-KDC_ERR_BAD_PVNO 3 Requested protocol version number
- not supported
-KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old
- master key
-KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old
- master key
+KDC_ERR_NAME_EXP 1 Client's entry in database has expired
+KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired
+KDC_ERR_BAD_PVNO 3 Requested protocol version # not supported
+KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key
KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database
KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database
-KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in
- database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database
KDC_ERR_NULL_KEY 9 The client or server has a null key
KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating
-KDC_ERR_NEVER_VALID 11 Requested start time is later than
- end time
+KDC_ERR_NEVER_VALID 11 Requested start time is later than end time
KDC_ERR_POLICY 12 KDC policy rejects request
-KDC_ERR_BADOPTION 13 KDC cannot accommodate requested
- option
-KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption
- type
+KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type
KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type
KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type
KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type
KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked
-KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been
- revoked
+KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked
KDC_ERR_TGT_REVOKED 20 TGT has been revoked
-KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again
- later
-KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again
- later
-KDC_ERR_KEY_EXPIRED 23 Password has expired - change
- password to reset
-KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information
- was invalid
-KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authentication
- required*
-KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field
- failed
+KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED 23 Password has expired - change to reset
+KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authentication required*
+KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match
+KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed
KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired
KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid
KRB_AP_ERR_REPEAT 34 Request is a replay
KRB_AP_ERR_MSG_TYPE 40 Invalid msg type
KRB_AP_ERR_MODIFIED 41 Message stream modified
KRB_AP_ERR_BADORDER 42 Message out of order
-KRB_AP_ERR_BADKEYVER 44 Specified version of key is not
- available
+KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available
KRB_AP_ERR_NOKEY 45 Service key not available
KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed
KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction
-KRB_AP_ERR_METHOD 48 Alternative authentication method
- required*
+KRB_AP_ERR_METHOD 48 Alternative authentication method required*
KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message
-KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in
- message
+KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message
KRB_ERR_GENERIC 60 Generic error (description in e-text)
-KRB_ERR_FIELD_TOOLONG 61 Field is too long for this
- implementation
+KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation
*This error carries additional information in the e-data field. The
contents of the e-data field for this message is described in section
----rfc1510.eratta---as of June 14, 1994---
+---rfc1510.eratta---as of Auguest 10, 1994---
1. [19940312] The following lines describes corrections to pseudocode
in rfc1510 as of March 12, 1994.
encryption methods for the application server. The KDC will not issue
tickets with a weak session key encryption type.
+---
+3. [19940707] Case of realm names for DNS based realm names,
+
+ The following should appear in section 7.1 before the description
+ of the four classed of realm names (before "There are presently...")
+
+ Kerberos realm names are case sensitive. Realm names that differ
+ only in the case of the characters are not equivalent.
+
+ The domain example should be changes from:
+ domain: host.subdomain.domain (example)
+
+ To:
+
+ domain: ATHENA.MIT.EDU (example)
+
+ The following should be append to the domain name paragraph of
+ section 7.1 (following "nor slashes (/).")
+
+ Domain names must be converted to upper case when used as realm names.
+
+---
+4. [19940707] Official name of host is instance for NT-SRV-HST
+
+ Append to paragraph 7.2.1:
+
+ When a host has an official name and one or more aliases, the
+ official name of the host must be used when constructing the name
+ of the server principal.
+
+---
+
+5. [19940722] The protocol is standards track
+
+ In the 3rd paragraph of the overview delete:
+
+ ", and are not being submitted for consideration as
+ an Internet standard at this time"
+
+ as it contradicts the first sentence of the RFC.
+
projects / krb5.git / commitdiff