OpenSSH GSSAPI gives "Cannot find ticket for requested realm"

Simon Wilkinson simon at sxw.org.uk
Wed Jun 2 13:00:53 EDT 2010


> 
> Karmic 9.10: OpenSSH 5.1p1-6ubuntu2, libgssapi-krb5-2
> 1.7dfsg~beta3-1ubuntu0.6
> Lucid 10.04:  OpenSSH 5.3p1-3ubuntu3, libgssapi-krb5-2 1.8.1+dfsg-2

This particular version change makes me suspect something related to DES tickets. Does the service ticket you're trying to obtain have encryption types other than DES?

The entire DES removal in 1.8 seems to have been extremely poorly communicated to the user community at large. I'm not sure whether the Kerberos Consortium or the downstream vendors should take responsibility for this, but it is _very_ easy to break production machines in fun and exciting ways by upgrading to 1.8. My advice, at present, would be to avoid 1.8 entirely until others have found all of the pain points and the documentation has been improved.

Cheers,

Simon.





More information about the Kerberos mailing list