Ben Cox cox-work at
Fri Oct 4 15:44:00 EDT 2002

What's the current state of 3DES and GSS-API?  Is it thought to be
complete, or is it not there yet?  I can't seem to make it work:

  * If my service principal has a des-cbc-crc key and a des3-cbc-raw
    key (which I get by default if I do "ktadd -k kt princname"), my
    client gets a des-cbc-crc ticket for it.

  * If my service principal has ONLY a des3-cbc-sha1 key, my client
    gets a ticket for it, but the server fails on gss_accept_sec_context
    with GSS_S_FAILURE and gss_minor=-1765328151 (gss_display_status
    gives "Unknown code z 0").

  * If my service principal has ONLY a des3-cbc-raw key, the client
    fails on gss_init_sec_context (with the same gss_minor value),
    and there's a note in the KDC log:

	authtime 1033759686,  cox at MYREALM.TLD for gsstestsvc at MYREALM,
	No matching key in entry having a permitted enctype

Should this be working?  Do I need to do something else?  Or is this
known not to be up to par yet?

-- Ben

More information about the krbdev mailing list