<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Bitstream Cyberbit">So which krb5_32.dll are you currently
running with?<br>
<br>
The KfW 2.6 Beta 2? the one from the morning? or the one from the
afternoon?<br>
<br>
I would like to make sure the one from the morning works. Then we can
try to address the fwd_tgt.c issue.<br>
<br>
- Jeff<br>
<br>
<br>
Douglas E. Engert wrote:<br>
</font>
<blockquote cite="mid40113F06.37EC7AD2@anl.gov" type="cite">
<pre wrap=""><font face="Bitstream Cyberbit">
Jeffrey Altman via RT wrote:
</font></pre>
<blockquote type="cite">
<pre wrap=""><font face="Bitstream Cyberbit">This is related to ticket 2139. Doug has described a problem in which
the MS Tickets made accessible to the MIT krb5 gssapi implementation
cannot access services via cross realm. apparently, the ms tickets do
not use the same convention for cross realm client identity mapping as
MIT krb5 does. The problem is most likely in the default implementation
of the retrieval function which is depended on by the mslsa ccache
implementation.
This needs to be fixed for 1.3.2.
</font></pre>
</blockquote>
<pre wrap=""><!----><font face="Bitstream Cyberbit">
I have gotten further. I don't think the identity mapping or retrieval method
is a problem. I think it is the fwd_tgt.c code.
By removing "default_tkt_enctypes" and "default_tgs_enctypes" in the krb5.ini,
gssapi can get forwardable TGTs. I think the problem may be in the fwd_tgt.c
where it is trying to guess what etype the host can handle.
In the following 2 examples the TGT to be forwarded is obtained from the
MS AD. The hosts are in the MIT realm.
This is strange because on one host the host principal in the MIT realm
has only a des-cbc-crc key, and this is what was in the "default_*_enctypes"
and that is is what is finally returned in the forwarded TGT. But it
only works if I remove the "default_*_enctypes"
In the other host the host principal has both a 3des and a des-cbc-crc key,
yet the forward TGT has RC4-HMAC. The system is running krb5-1.2.8 and
does not understand rc4-hmac! (This system needs to be updated to 1.3.x)
I believe that the fwd_tgt.c code is confused. But there is no
debugging output, and the gssapi silently continues if delegation
fails. It may have been confused, because the imported TGT had RC4-HMAC,
which was not in its list of "default_*_enctypes". If I let Leash
get the tickets, it ownered the "default_*_enctypes" and gets an initial
TGT with des-cbc-crc.
So I am running without the "default_*_enctypes" for now.
</font></pre>
<blockquote type="cite">
<pre wrap=""><font face="Bitstream Cyberbit">_______________________________________________
krb5-bugs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:krb5-bugs@mit.edu">krb5-bugs@mit.edu</a>
<a class="moz-txt-link-freetext" href="https://mailman.mit.edu/mailman/listinfo/krb5-bugs">https://mailman.mit.edu/mailman/listinfo/krb5-bugs</a>
</font></pre>
</blockquote>
<pre wrap=""><!----><font face="Bitstream Cyberbit">
</font></pre>
</blockquote>
</body>
</html>