Config for enctypes on *recieved* service tickets

Matt Reynolds mwreynolds at gmail.com
Wed Sep 28 23:56:33 EDT 2005


I'm facing a problem where an app leveraging gssapi on one of my linux
boxes fails to decrypt service tickets it recieves from clients. The
tickets are issued by a Windows KDC. The failure returned by gssapi is
kerberos error 31 (decimal) AP_ERR_BAD_INTEGRITY.

I am wondering if this related to the ciphers is play. I have been
reading every doc I can get my hands on regarding krb5.conf, and I'm
still not clear on what, if any, entry in krb5.conf would apply to
enctypes to be used when decrypting service tickets recieved from
clients.

http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5-admin/libdefaults.html#libdefaults
says:

 1) default_tgs_enctypes controls encryption used in TGS_REPs where we
are acting as a KDC (not relevant to this scenario)

 2) default_tkt_enctypes controls enctypes to be requested in ticket
requests, where we are acting as a client principal (also not relevant
to this scenario)

so that leaves

 3) permitted_enctypes which is described as "Identifies all
encryption types that are permitted for use in session key
encryption." Depending on how you read that sentence, that could be
interpreted as being relevant to session key decryption.

So, to sum up, if I am failing to accept service tickets that I am
recieving as described above with error 31 BAD_INTEGRITY, do you think
I should add a "permitted_enctypes" entry with the relevant ciphers
(The Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5,
depending on configuration), or am I barking up the completely wrong
tree?

In the latter case, can anyone suggest a better tree?

Thanks

-Matt



More information about the Kerberos mailing list