[32394] in Kerberos
Re: OpenSSH GSSAPI gives "Cannot find ticket for requested realm"
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Wed Jun 2 13:01:06 2010
Mime-Version: 1.0 (Apple Message framework v1078)
From: Simon Wilkinson <simon@sxw.org.uk>
In-Reply-To: <19d61219-823f-433c-a987-b78bffc8abcd@c7g2000vbc.googlegroups.com>
Date: Wed, 2 Jun 2010 18:00:53 +0100
Message-Id: <00174FAF-6272-491C-A87A-DF3FBA888A16@sxw.org.uk>
To: Peter Waller <peter.waller@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>
> Karmic 9.10: OpenSSH 5.1p1-6ubuntu2, libgssapi-krb5-2
> 1.7dfsg~beta3-1ubuntu0.6
> Lucid 10.04: OpenSSH 5.3p1-3ubuntu3, libgssapi-krb5-2 1.8.1+dfsg-2
This particular version change makes me suspect something related to DES tickets. Does the service ticket you're trying to obtain have encryption types other than DES?
The entire DES removal in 1.8 seems to have been extremely poorly communicated to the user community at large. I'm not sure whether the Kerberos Consortium or the downstream vendors should take responsibility for this, but it is _very_ easy to break production machines in fun and exciting ways by upgrading to 1.8. My advice, at present, would be to avoid 1.8 entirely until others have found all of the pain points and the documentation has been improved.
Cheers,
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
