[32332] in Kerberos
Re: problem with pam_krb5 4.2-1
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu May 13 20:38:20 2010
From: Russ Allbery <rra@stanford.edu>
To: Rohit Kumar Mehta <rohitm@engr.uconn.edu>
In-Reply-To: <4BEC6062.9000601@engr.uconn.edu> (Rohit Kumar Mehta's message of
"Thu, 13 May 2010 16:26:10 -0400")
Date: Thu, 13 May 2010 17:38:14 -0700
Message-ID: <87y6fn71xl.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Rohit Kumar Mehta <rohitm@engr.uconn.edu> writes:
> Hi guys, in upgrading some Ubuntu systems from Karmic (libpam-krb5
> 3.15-1) to Lucid (libpam-krb5 4.2-1) I discovered a problem.
> SSH authentication would fail with pam_krb5 the error:
> "credential verification failed: KDC has no support for encryption type"
> However kinit username@REALM worked fine, as did kerberized NFS mounts.
> I found that if I removed my krb5.keytab things ssh authentication also
> worked.
Chances are, your system keytab only has DES keys. Either download a new
keytab that has more enctypes or add:
allow_weak_crypto = true
to the [libdefaults] section of your krb5.conf.
> I'm also wondering why my krb5.keytab is not accepted by pam_krb5.
> Could it be because I am authenticating in the realm=AD.ENGR.UCONN.EDU
> and the principals in the keytab are in the realm=ENGR.UCONN.EDU?
If your system keytab is fine, then it may be that the cross-realm key
only has DES keys, but I bet it's your system keytab.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
