[krbdev.mit.edu #2143] Windows mslsa ccache not returning MSgeneratedcrossrealm tickets to gssapi

Douglas E. Engert deengert at anl.gov
Fri Jan 23 12:34:09 EST 2004



> Jeffrey Altman wrote:
> 
> Douglas E. Engert wrote:
> 
> > The afternoon, I believe. I will install the morning one again just to make sure.

You kepp a differnet schedule that I do, I see two krb5_32.dlls from you

  Email time          file time in Zip file:

  15:44:50-0500           3:41PM 

  17:38:17-0500           5:36PM 

I assume the first is the "morning" and the second the "afternoon" 

I was running with the afternoon one, and have rebooted with the morning
one. They appear to do the same thing.  

> >
> >
> thanks.  I am going to use the one from the morning unless we can prove your theory.

The morning one looks OK. I think the difference would only show up
if there where three realms involved. 

> 
> > If I upgrade the one host in question to krb5-1.3.x and don't use the "default_*_enctypes"
> > I believe it works. The KRB5.ANL.GOV KDC is still at 1.2.8. I am willing to update
> > it, but would like to use 1.3.2 to avoid multiple updates.
> >
> > The point being that the release notes for KfW may want to warn against
> > using the "default_*_enctypes, and may require krb5-1.3.x on hosts?
> >
> The issue is specifically due to the importation of the tickets from the LSA ccache
> which produces a DES session key but a RC4 encryption key.   The MSLSA ccache code
> does not pay attention to the default_*_enctypes.
> 
> I think there were some other issues with default_*_enctypes that made them undesireable.
> (cc'd to krbcore in case there are others who can comment.)
> 
> - Jeff

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the krbdev mailing list