[krbdev.mit.edu #2155] krb5-1.3.x testing with default_tgs_enctypes in krb5.conf
Jeffrey Altman via RT
rt-comment at krbdev.mit.edu
Fri Jan 30 20:46:21 EST 2004
The following is a comment from Doug from a thread on why he is unable
to delegate tickets vis GSSAPI from Kerberos for Windows. We originally
thought the problem was caused by the Ticket importation via the new
MSLSA krb5_ccache type. However, this makes it clear that the problem
is elsewhere:
By removing "default_tkt_enctypes" and "default_tgs_enctypes" in the
krb5.ini,
gssapi can get forwardable TGTs. I think the problem may be in the
fwd_tgt.c
where it is trying to guess what etype the host can handle.
In the following 2 examples the TGT to be forwarded is obtained from the
MS AD. The hosts are in the MIT realm.
This is strange because on one host the host principal in the MIT realm
has only a des-cbc-crc key, and this is what was in the "default_*_enctypes"
and that is is what is finally returned in the forwarded TGT. But it
only works if I remove the "default_*_enctypes"
In the other host the host principal has both a 3des and a des-cbc-crc key,
yet the forward TGT has RC4-HMAC. The system is running krb5-1.2.8 and
does not understand rc4-hmac! (This system needs to be updated to 1.3.x)
I believe that the fwd_tgt.c code is confused. But there is no
debugging output, and the gssapi silently continues if delegation
fails. It may have been confused, because the imported TGT had RC4-HMAC,
which was not in its list of "default_*_enctypes". If I let Leash
get the tickets, it ownered the "default_*_enctypes" and gets an initial
TGT with des-cbc-crc.
So I am running without the "default_*_enctypes" for now.
Doug
More information about the krb5-bugs
mailing list