ksu problem with "Version: 1.12+dfsg-2ubuntu5.1"
Giuseppe Mazza
g.mazza at imperial.ac.uk
Tue Feb 17 12:32:12 EST 2015
Dear All,
I have upgraded and my server and my client to "1.12+dfsg-2ubuntu5.1"
(Ubuntu 14.04.1 LTS).
root at client:~# aptitude show krb5-user | grep Version
Version: 1.12+dfsg-2ubuntu5.1
root at server:~# aptitude show krb5-kdc | grep Version
Version: 1.12+dfsg-2ubuntu5.1
client% ksu
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for gmazza/root at DOC.IC.AC.UK: :
ksu: Generic error (see e-text) while getting credentials from kdc
Authentication failed.
root at server:~# tail -f /var/log/krb5kdc.log | grep gmazza
...
Feb 17 16:05:45 thoth.doc.ic.ac.uk krb5kdc[25860](info): AS_REQ (9
etypes {18 17 16 23 25 26 1 3 2}) 146.169.46.230: ISSUE: authtime
1424189145, etypes {rep=16 tkt=1 ses=1}, gmazza/root at DOC.IC.AC.UK for
krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK
Feb 17 16:05:45 thoth.doc.ic.ac.uk krb5kdc[25860](info): TGS_REQ (9
etypes {18 17 16 23 25 26 1 3 2}) 146.169.46.230: NO PREAUTH: authtime
0, gmazza/root at DOC.IC.AC.UK for host/bacio.doc.ic.ac.uk at DOC.IC.AC.UK,
Generic error (see e-text)
Feb 17 16:05:45 thoth.doc.ic.ac.uk krb5kdc[25860](info): TGS_REQ (9
etypes {18 17 16 23 25 26 1 3 2}) 146.169.46.230: NO PREAUTH: authtime
0, gmazza/root at DOC.IC.AC.UK for host/bacio.doc.ic.ac.uk at DOC.IC.AC.UK,
Generic error (see e-text)
I managed to solve the problem by upgrading my root principal
form DES to AES.
However on the client I have got:
client% head -5 /etc/krb5.conf
[appdefaults]
# [dwm] necessary for DOC.IC.AC.UK
allow_weak_crypto=true
...
I thought that would be enough to support old DES principal.
By the way ksu is the only kerberized application that does not work.
All the other still work. Even the ones where DES principals are used.
Anybody has experienced the same problem?
All the best,
Giuseppe
More information about the Kerberos
mailing list