[krbdev.mit.edu #2143] Windows mslsa ccache not returning MSgeneratedcross realm tickets to gssapi
Jeffrey Altman
jaltman at columbia.edu
Fri Jan 23 12:05:16 EST 2004
Douglas E. Engert wrote:
>The afternoon, I believe. I will install the morning one again just to make sure.
>
>
thanks. I am going to use the one from the morning unless we can prove
your theory.
>If I upgrade the one host in question to krb5-1.3.x and don't use the "default_*_enctypes"
>I believe it works. The KRB5.ANL.GOV KDC is still at 1.2.8. I am willing to update
>it, but would like to use 1.3.2 to avoid multiple updates.
>
>The point being that the release notes for KfW may want to warn against
>using the "default_*_enctypes, and may require krb5-1.3.x on hosts?
>
The issue is specifically due to the importation of the tickets from the
LSA ccache
which produces a DES session key but a RC4 encryption key. The MSLSA
ccache code
does not pay attention to the default_*_enctypes.
I think there were some other issues with default_*_enctypes that made
them undesireable.
(cc'd to krbcore in case there are others who can comment.)
- Jeff
More information about the krbdev
mailing list