OpenSSH GSSAPI gives "Cannot find ticket for requested realm"
Peter Waller
peter.waller at gmail.com
Thu Jun 3 04:59:57 EDT 2010
Hi Simon,
On Jun 2, 6:00 pm, Simon Wilkinson <si... at sxw.org.uk> wrote:
> > Karmic 9.10: OpenSSH 5.1p1-6ubuntu2, libgssapi-krb5-2
> > 1.7dfsg~beta3-1ubuntu0.6
> > Lucid 10.04: OpenSSH 5.3p1-3ubuntu3, libgssapi-krb5-2 1.8.1+dfsg-2
>
> This particular version change makes me suspect something related to DES tickets. Does the service ticket you're trying to obtain have encryption types other than DES?
>
> The entire DES removal in 1.8 seems to have been extremely poorly communicated to the user community at large. I'm not sure whether the Kerberos Consortium or the downstream vendors should take responsibility for this, but it is _very_ easy to break production machines in fun and exciting ways by upgrading to 1.8. My advice, at present, would be to avoid 1.8 entirely until others have found all of the pain points and the documentation has been improved.
Thanks for your response.
klist -v shows:
Ticket etype: des-cbc-md5, kvno 44
Ticket length: 318
If DES has been removed, I guess this could be the problem?
After some googling, I can't figure out how to get a list of valid
enctypes to try. I tried a few enctypes I found by googling, but they
all failed either locally (unrecognized enctype) or remotely
(krb5_get_init_creds: KDC has no support for encryption type). Is
there a simple way to get a list of valid enctypes?
Thanks in advance for any help,
- Peter
More information about the Kerberos
mailing list