From: Greg Hudson Date: Sat, 20 Mar 2010 03:50:06 +0000 (+0000) Subject: Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 X-Git-Tag: krb5-1.9-beta1~300 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=5321c69e3306febb2c8021119916b46aed8ef5e5;p=krb5.git Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data type, was used to implement PAC-less constrained delegation in krb5 1.8. Unfortunately, it was found that Microsoft was using 142 for other purposes, which could result in a ticket issued by an MIT or Heimdal KDC being rejected by a Windows Server 2008 R2 application server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate among a realm's KDCs, it is relatively easy to change the number, so MIT and Heimdal are both migrating to a new number. This change will cause a transitional interoperability issue when a realm mixes MIT krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal 1.3.2) KDCs, but only for constrained delegation evidence tickets. ticket: 6687 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 63b69710a..875d14a60 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define KRB5_AUTHDATA_SESAME 65 #define KRB5_AUTHDATA_WIN2K_PAC 128 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ -#define KRB5_AUTHDATA_SIGNTICKET 142 +#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ #define KRB5_AUTHDATA_FX_ARMOR 71 /* password change constants */