[32415] in Kerberos
Re: OpenSSH GSSAPI gives "Cannot find ticket for requested realm"
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jun 3 14:45:33 2010
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 03 Jun 2010 10:58:54 -0700
Message-ID: <87r5koyp41.fsf@windlord.stanford.edu>
Mime-Version: 1.0
X-Complaints-To: news@usenet-its.stanford.edu
In-Reply-To: <c0f2417f-1738-40d7-8ffa-257e9301b7d4@c22g2000vbb.googlegroups.com>
(Peter Waller's message of "Thu, 3 Jun 2010 01:59:57 -0700 (PDT)")
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Peter Waller <peter.waller@gmail.com> writes:
> Thanks for your response.
> klist -v shows:
> Ticket etype: des-cbc-md5, kvno 44
> Ticket length: 318
> If DES has been removed, I guess this could be the problem?
> After some googling, I can't figure out how to get a list of valid
> enctypes to try. I tried a few enctypes I found by googling, but they
> all failed either locally (unrecognized enctype) or remotely
> (krb5_get_init_creds: KDC has no support for encryption type). Is
> there a simple way to get a list of valid enctypes?
I suspect that if you add:
allow_weak_crypto = true
to the [libdefaults] section of krb5.conf on both the client and server,
everything will start working again. The problem is that one of the
Kerberos keys involved probably only has DES keys, so the only options are
to change the key to add more enctypes or to enable DES.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
