[krbdev.mit.edu #2143] Windows mslsa ccache not returning MSgeneratedcross realm tickets to gssapi

Jeffrey Altman jaltman at columbia.edu
Fri Jan 23 12:05:16 EST 2004


Douglas E. Engert wrote:

>The afternoon, I believe. I will install the morning one again just to make sure. 
>
>
thanks.  I am going to use the one from the morning unless we can prove 
your theory.

>If I upgrade the one host in question to krb5-1.3.x and don't use the "default_*_enctypes"
>I believe it works. The KRB5.ANL.GOV KDC is still at 1.2.8. I am willing to update
>it, but would like to use 1.3.2 to avoid multiple updates.  
>
>The point being that the release notes for KfW may want to warn against 
>using the "default_*_enctypes, and may require krb5-1.3.x on hosts? 
>
The issue is specifically due to the importation of the tickets from the 
LSA ccache
which produces a DES session key but a RC4 encryption key.   The MSLSA 
ccache code
does not pay attention to the default_*_enctypes.  

I think there were some other issues with default_*_enctypes that made 
them undesireable.
(cc'd to krbcore in case there are others who can comment.)

- Jeff



More information about the krbdev mailing list