[00:02:22] --- Simon Wilkinson has become available
[01:07:33] --- Simon Wilkinson has left
[02:03:08] --- Simon Wilkinson has become available
[04:11:01] --- Marc Dionne has become available
[04:42:50] --- Simon Wilkinson has left
[05:34:04] --- Simon Wilkinson has become available
[05:49:52] --- Simon Wilkinson has left
[05:49:52] --- Simon Wilkinson has become available
[05:49:52] --- Simon Wilkinson has left: Lost connection
[05:57:03] --- mvita has become available
[06:31:21] --- mvita has left
[06:33:07] --- Simon Wilkinson has become available
[06:58:48] --- Simon Wilkinson has left
[07:22:33] --- deason has become available
[08:41:25] --- mvita has become available
[11:33:49] --- Simon Wilkinson has become available
[12:55:39] --- jaltman/FrogsLeap has left
[12:57:09] --- jaltman/FrogsLeap has become available
[14:23:09] <kaduk@mit.edu/barnowl> I just got out of an all-day meeting.
Are there outstanding questions on the list that I should reply to?
It looks like things are in hand, from a quick scan.
[14:31:35] --- mvita has left
[14:31:59] --- mvita has become available
[15:00:28] <deason> nothing right now, but in that windows thread, it's clear that some windows kdcs will issue an aes ticket if the client requests an aes session key
[15:00:41] <deason> while it's buggy, my earlier mention of trying des-only first would work around that....
[15:01:27] <deason> I assume we won't do anything like that, but just wanted to mention it again
[15:02:12] <kaduk@mit.edu/barnowl> Buggy KDCs are buggy, you say?
I'm not sure what you mean by "we" doing anything "like that".
[15:02:46] <deason> in certain scenarios, a windows kdc can issue an aes service ticket for afs only if the client requests an aes session key
[15:02:55] <deason> even though the service princ only has des enabled
[15:03:16] <deason> that's why for lars schimmer, 1.6.5/1.7.26/etc clients don't work in his environment, even though he didn't change anything with the afs service princ
[15:03:43] <deason> if instead the clients tried to request a des session key, and only tried to request an e.g. aes session key if that failed, he wouldn't have a problem
[15:04:47] <jaltman/FrogsLeap> I would be in favor (on windows only) of examining the TGT and seeing if it contains a PAC.  If so, request des first
[15:06:37] <deason> why on windows only? the client platform shouldn't matter
[15:07:18] <deason> although arguably the effort is better spent trying to get people to recognize that that option is turned on when they shouldn't haved turned it on
[15:08:40] <jaltman/FrogsLeap> we need to know that is in fact what is going on.  we don't know that for sure.
[15:10:09] <deason> well, while it's a guess that this is what is happening to lars, even if it's not it seems like a problem
[15:10:28] <deason> er, I mean, even if this isn't what's causing lars' problem, it's a potential problem anyway
[15:10:31] <jaltman/FrogsLeap> why is it our problem?   its Microsoft's bug
[15:11:10] <deason> not our problem, yes; I was just saying, if we tried des first the problem would go away with no downside
[15:11:26] <deason> so maybe it's not worth doing anything about
[15:11:50] <deason> were you asking for people with MS contracts to file a bug, by the way, or just anyone?
[15:12:06] <jaltman/FrogsLeap> MSFT != MS
[15:12:42] <jaltman/FrogsLeap> if an org does not have a support contract and a significant outage there will be no fix released.
[15:15:18] <deason> okay, so a report from a random person doesn't do anything
[15:16:15] <jaltman/FrogsLeap> from a thousand random people reporting a client side bug, maybe.  for a server side bug?  nope.
[15:17:35] <deason> "why is it our problem?   its Microsoft's bug"
so, then it's our problem if they don't do anything about it, since it makes 1.6.5/1.7.26/etc not work with the relevant ad servers
[15:17:47] <jaltman/FrogsLeap> What we could also do is look at the ticket that is issued, if the service ticket enctype is DES-*-* and the session enctype is not DES-*-*, then reissue the request with DES-CBC-CRC
[15:18:37] <jaltman/FrogsLeap> if we work around the problem then no one will complain to microsoft and it won't get fixed.
[15:18:42] <deason> but can't we just issue with the request with DES, and if we get a ETYPE_NOTSUPP error or whatever it's called, try it without the DES restriction?
[15:19:25] <jaltman/FrogsLeap> I don't want to penalize the clients that do the right thing if the KDC's are hardened
[15:21:13] <deason> okay; as I said, I wasn't pushing hard for it, just bringing it up
[15:21:14] <jaltman/FrogsLeap> server 2008 r2 and later are effectively no DES at all (by policy).
[15:21:46] <deason> I think I care more about removing unnecessary KdcUseRequestedEtypesForTickets installations than fixing the ad-side bug, but either way
[15:21:59] <deason> (anyway, gotta go)
[15:22:05] --- deason has left
[15:25:25] --- mvita has left
[18:38:16] --- Marc Dionne has left
[20:16:53] --- ballbery has left
[20:16:54] --- ballbery has become available