MIT-Heimdal interop issues

Sam Hartman hartmans at MIT.EDU
Tue Mar 23 18:22:27 EST 2004


>>>>> "Digant" == Digant Kasundra <digant at uta.edu> writes:

    Digant> Well, for some reason, I'm not getting good results.
    Digant> getting a ticket with kinit on the heimdal side works
    Digant> great if I specify a password.  But when using a keytab,
    Digant> it will only work if I tell it manually what encryption
    Digant> type to use, even though ktutil identifies the enc type
    Digant> correctly when listing the keys in that keytab.

This doesn't completely surprise me if your KDC requires
preauthentication.  If so, it is a Heimdal bug.  MIT has the same bug
though; it is easy to make.

    Digant> I think this is the major contributor to my gssapi bind
    Digant> failing on openldap.

However the need to specify the enctype for kinit should not affect
use for GSSAPI bind on the server side doing a gss_accept_sec_context.

I'd look in your MIT KDC log and make sure the enctype for the ticket
that is issued (tkt in the log line for the tgs_req) is something that
is in your keytab.

Perhaps posting klist -5 -e output from your client with an ldap
ticket and posting the appropriate ktutil output to show the enctypes
would be enlightening.

--Sam



More information about the Kerberos mailing list