Config for enctypes on *recieved* service tickets
Matt
mwreynolds at gmail.com
Thu Sep 29 12:04:43 EDT 2005
Apologies if anybody sees this twice... I believe my first post failed.
I'm facing a problem where a server side app leveraging gssapi on one
of my linux boxes fails to honor all service tickets that are presented
to it by clients. The tickets are issued by a Windows KDC. The failure
returned by gssapi is kerberos error 31 (decimal) AP_ERR_BAD_INTEGRITY.
I am wondering if this related to the ciphers is play. I have been
reading every doc I can get my hands on regarding krb5.conf, and I'm
still not clear on what, if any, entry in krb5.conf would apply to
enctypes to be used when decrypting service tickets recieved from
clients.
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5admin/libdefaults.html#libdefaults
says (paraphrasing):
1) default_tgs_enctypes controls encryption used in TGS_REPs where we
are acting as a KDC (not relevant to this scenario)
2) default_tkt_enctypes controls enctypes to be requested in ticket
requests, where we are acting as a client principal (also not relevant
to this scenario)
so that leaves
3) permitted_enctypes which is described as "Identifies all
encryption types that are permitted for use in session key
encryption." Depending on how you read that sentence, that could be
interpreted as being relevant to session key decryption.
So, to sum up, if I am failing to accept service tickets that I am
recieving as described above with error 31 BAD_INTEGRITY, do you think
I should add a "permitted_enctypes" entry with the relevant ciphers(The
Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5, depending on
configuration), or am I barking up the completely wrong tree?
In the latter case, can anyone suggest a better tree?
Thanks
-Matt
More information about the Kerberos
mailing list