OpenSSH GSSAPI gives "Cannot find ticket for requested realm"

Russ Allbery rra at stanford.edu
Thu Jun 3 13:58:54 EDT 2010


Peter Waller <peter.waller at gmail.com> writes:

> Thanks for your response.

> klist -v shows:

> Ticket etype: des-cbc-md5, kvno 44
> Ticket length: 318

> If DES has been removed, I guess this could be the problem?

> After some googling, I can't figure out how to get a list of valid
> enctypes to try. I tried a few enctypes I found by googling, but they
> all failed either locally (unrecognized enctype) or remotely
> (krb5_get_init_creds: KDC has no support for encryption type). Is
> there a simple way to get a list of valid enctypes?

I suspect that if you add:

    allow_weak_crypto = true

to the [libdefaults] section of krb5.conf on both the client and server,
everything will start working again.  The problem is that one of the
Kerberos keys involved probably only has DES keys, so the only options are
to change the key to add more enctypes or to enable DES.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list