cross realm trusts ..

Dennis Davis dennisdavis+krb5-mail at fastmail.fm
Thu Nov 28 16:29:10 EST 2013


On Fri, 29 Nov 2013, Matt Bryant wrote:

> From: Matt Bryant <matthew.bryant at melbourneit.com.au>
> To: undisclosed-recipients:  ;
> Cc: kerberos at mit.edu
> Date: Thu, 28 Nov 2013 20:36:03
> Subject: Re: cross realm trusts ..
> 
> Have done that and yes can see all of those tickets .... mine, the
> TGT for cross realm auth and the host ticket in the other realm ..
> Now at this point got to say the old realm/kdc is on el4 and of
> course th eipa is on el6
> is there any reason the version disparity 1.3 v 1.10 is causing issues 

Wild guess:  Incompatible encryption types?

See:

http://web.mit.edu/kerberos/krb5-1.10/

which includes:

  DES transition
  
  The Data Encryption Standard (DES) is widely recognized as
  weak. The krb5-1.7 release contains measures to encourage sites to
  migrate away from using single-DES cryptosystems. Among these is
  a configuration variable that enables "weak" enctypes, which now
  defaults to "false" beginning with krb5-1.8.

Kerberos 1.3 will be happy with what are now regarded as weak
encryption types.

Also note the manual page for kdc.conf on later versions of Kerberos
includes:

  While aes128-cts and aes256-cts are supported for all Kerberos
  operations, they are not supported by very old versions of our
  GSSAPI implementation (krb5-1.3.1 and earlier).  Services running
  versions of krb5 without AES support must not be given AES keys in
  the KDC database.
-- 
Dennis Davis <dennisdavis at fastmail.fm>


More information about the Kerberos mailing list