MIT-Heimdal interop issues
Sam Hartman
hartmans at MIT.EDU
Tue Mar 23 18:22:27 EST 2004
>>>>> "Digant" == Digant Kasundra <digant at uta.edu> writes:
Digant> Well, for some reason, I'm not getting good results.
Digant> getting a ticket with kinit on the heimdal side works
Digant> great if I specify a password. But when using a keytab,
Digant> it will only work if I tell it manually what encryption
Digant> type to use, even though ktutil identifies the enc type
Digant> correctly when listing the keys in that keytab.
This doesn't completely surprise me if your KDC requires
preauthentication. If so, it is a Heimdal bug. MIT has the same bug
though; it is easy to make.
Digant> I think this is the major contributor to my gssapi bind
Digant> failing on openldap.
However the need to specify the enctype for kinit should not affect
use for GSSAPI bind on the server side doing a gss_accept_sec_context.
I'd look in your MIT KDC log and make sure the enctype for the ticket
that is issued (tkt in the log line for the tgs_req) is something that
is in your keytab.
Perhaps posting klist -5 -e output from your client with an ldap
ticket and posting the appropriate ktutil output to show the enctypes
would be enlightening.
--Sam
More information about the Kerberos
mailing list