[krbdev.mit.edu #2143] Windows mslsa ccache not returning MSgeneratedcrossrealm tickets to gssapi
Douglas E. Engert
deengert at anl.gov
Fri Jan 23 12:34:09 EST 2004
> Jeffrey Altman wrote:
> Douglas E. Engert wrote:
> > The afternoon, I believe. I will install the morning one again just to make sure.
You kepp a differnet schedule that I do, I see two krb5_32.dlls from you
Email time file time in Zip file:
I assume the first is the "morning" and the second the "afternoon"
I was running with the afternoon one, and have rebooted with the morning
one. They appear to do the same thing.
> thanks. I am going to use the one from the morning unless we can prove your theory.
The morning one looks OK. I think the difference would only show up
if there where three realms involved.
> > If I upgrade the one host in question to krb5-1.3.x and don't use the "default_*_enctypes"
> > I believe it works. The KRB5.ANL.GOV KDC is still at 1.2.8. I am willing to update
> > it, but would like to use 1.3.2 to avoid multiple updates.
> > The point being that the release notes for KfW may want to warn against
> > using the "default_*_enctypes, and may require krb5-1.3.x on hosts?
> The issue is specifically due to the importation of the tickets from the LSA ccache
> which produces a DES session key but a RC4 encryption key. The MSLSA ccache code
> does not pay attention to the default_*_enctypes.
> I think there were some other issues with default_*_enctypes that made them undesireable.
> (cc'd to krbcore in case there are others who can comment.)
> - Jeff
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev