[32135] in Kerberos
Re: Win 2008R2 kdc and linux client: no support for encryption type
daemon@ATHENA.MIT.EDU (Jeffrey Watts)
Tue Mar 9 12:12:46 2010
MIME-Version: 1.0
In-Reply-To: <4B967BD9.6030501@anl.gov>
Date: Tue, 9 Mar 2010 11:12:41 -0600
Message-ID: <65631e801003090912t6ea9d058v9e791725d0bbc5b0@mail.gmail.com>
From: Jeffrey Watts <jeffrey.w.watts@gmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: kerberos@mit.edu
Reply-To: watts@jayhawks.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Yeah, I was one of the folks who ran into that problem with Win2008R2.
Oddly enough, it only seemed to happen with certain systems and not with
others. Identical systems using the same DC and on the same network
wouldn't have the issue, so I'm not sure why it would affect one and not the
other. Affected systems: RHEL4 and RHEL5.
Anyhow, the solution for us was to add the following to /etc/krb5.conf in
the [libdefaults] section:
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
We had created our keytabs using Samba's 'net' command.
Jeffrey.
On Tue, Mar 9, 2010 at 10:48 AM, Douglas E. Engert <deengert@anl.gov> wrote:
>
> What user are you using with the kinit?
> Does a network trace show anything?
>
> We have seen issues with using the kinit -k with a keytab
> if the keytab does not have the highest enctype both client and server
> support (AES256).
>
> All of our DCs are now 2008R2, and afs aklog works well on
> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7
> clients.
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
