cross realm trusts ..
Dennis Davis
dennisdavis+krb5-mail at fastmail.fm
Thu Nov 28 16:29:10 EST 2013
On Fri, 29 Nov 2013, Matt Bryant wrote:
> From: Matt Bryant <matthew.bryant at melbourneit.com.au>
> To: undisclosed-recipients: ;
> Cc: kerberos at mit.edu
> Date: Thu, 28 Nov 2013 20:36:03
> Subject: Re: cross realm trusts ..
>
> Have done that and yes can see all of those tickets .... mine, the
> TGT for cross realm auth and the host ticket in the other realm ..
> Now at this point got to say the old realm/kdc is on el4 and of
> course th eipa is on el6
> is there any reason the version disparity 1.3 v 1.10 is causing issues
Wild guess: Incompatible encryption types?
See:
http://web.mit.edu/kerberos/krb5-1.10/
which includes:
DES transition
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites to
migrate away from using single-DES cryptosystems. Among these is
a configuration variable that enables "weak" enctypes, which now
defaults to "false" beginning with krb5-1.8.
Kerberos 1.3 will be happy with what are now regarded as weak
encryption types.
Also note the manual page for kdc.conf on later versions of Kerberos
includes:
While aes128-cts and aes256-cts are supported for all Kerberos
operations, they are not supported by very old versions of our
GSSAPI implementation (krb5-1.3.1 and earlier). Services running
versions of krb5 without AES support must not be given AES keys in
the KDC database.
--
Dennis Davis <dennisdavis at fastmail.fm>
More information about the Kerberos
mailing list