KRB5KDC_ERR_ETYPE_NOSUPP in protocol transition
Nikhil Mishra
nikhilm at gs-lab.com
Wed Jul 29 00:23:50 EDT 2009
Thanks Luke. I will take a look at the branch.
I have implemented both S4U2self and S4U2proxy .
I tested it with win2k3 SP2 and limited set of hotfixes .This was
working fine and I was able to fetch corresponding tickets .
After doing an auto upgrade , is when I started getting this error .
I suspect some default parameters being set in windows registry is
causing the issue .
Snippet from my krb5.conf :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WXYZ.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
# default-tgt-enctypes = rc4-hmac
default-tkt-enctypes = des-cbc-md5 des-hmac-sha1 des-cbc-crc
# permitted-enctypes = rc4-hmac
Please find the diff attached . This diff is taken on krb 1.6.5.
I will also give it a shot against win2k8.
Thanks
Nikhil
Luke Howard wrote:
>
> On 27/07/2009, at 11:17 AM, Nikhil Mishra wrote:
>
>> Hi All ,
>>
>> I made some changes in krb5_get_credentials to work for protocol
>> transition and constrained delegation .
>
> Sorry to duplicate the effort: you might want to take a look at the
> users/lhoward/s4u branch in SVN.
>
> That contains my in-progress implementation of S4U2Self and S4U2Proxy.
> Presently only S4U2Self (W2K3 protocol) is tested. (The W2K3 protocol
> has some weaknesses in that the S4U2Self request is not bound to the
> TGS-REQ. This was corrected in W2K8, but I haven't been able to get
> that to work yet.)
>
> As for your immediate problem, I'm not sure, because I haven't tested
> S4U2Proxy yet...
>
> cheers,
>
> -- Luke
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kerberos_cd.diff
Type: text/x-patch
Size: 21146 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20090729/63eda86a/attachment.bin
More information about the krbdev
mailing list