GSSAPI on Linux using Windows AD Servers as KDCs - Errors about Keytab Entries

Douglas E. Engert deengert at anl.gov
Mon Jan 7 11:15:59 EST 2008



Jason D. McCormick wrote:
> Douglas E. Engert wrote:
> 
>> The problem might be that on the AD account the UserAccountControl flag
>> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
>> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
>> to set this.
>>
>> See kb 305144 too.
> 
> I'll give that a shot, thanks.
> 
>> Why are you using DES? All the newer Kerberos can use ArcFour. So try
>> ktpass witout the crypto option.
> 
> Do you know if the Linux NFSv4 stuff can use ArcFour?  I've only been
> able to find (older - circa '06) docs that state the only working type
> is des-cbc-crc.

Don't know, but a lot of the developers on the nfsv4 at ietf.org list are also
on the Kerberos list.

> 
> - Jason
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list