[36791] in Kerberos
ksu problem with "Version: 1.12+dfsg-2ubuntu5.1"
daemon@ATHENA.MIT.EDU (Giuseppe Mazza)
Tue Feb 17 12:33:52 2015
Message-ID: <54E37B1C.2040407@imperial.ac.uk>
Date: Tue, 17 Feb 2015 17:32:12 +0000
From: Giuseppe Mazza <g.mazza@imperial.ac.uk>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Dear All,
I have upgraded and my server and my client to "1.12+dfsg-2ubuntu5.1"
(Ubuntu 14.04.1 LTS).
root@client:~# aptitude show krb5-user | grep Version
Version: 1.12+dfsg-2ubuntu5.1
root@server:~# aptitude show krb5-kdc | grep Version
Version: 1.12+dfsg-2ubuntu5.1
client% ksu
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for gmazza/root@DOC.IC.AC.UK: :
ksu: Generic error (see e-text) while getting credentials from kdc
Authentication failed.
root@server:~# tail -f /var/log/krb5kdc.log | grep gmazza
...
Feb 17 16:05:45 thoth.doc.ic.ac.uk krb5kdc[25860](info): AS_REQ (9
etypes {18 17 16 23 25 26 1 3 2}) 146.169.46.230: ISSUE: authtime
1424189145, etypes {rep=16 tkt=1 ses=1}, gmazza/root@DOC.IC.AC.UK for
krbtgt/DOC.IC.AC.UK@DOC.IC.AC.UK
Feb 17 16:05:45 thoth.doc.ic.ac.uk krb5kdc[25860](info): TGS_REQ (9
etypes {18 17 16 23 25 26 1 3 2}) 146.169.46.230: NO PREAUTH: authtime
0, gmazza/root@DOC.IC.AC.UK for host/bacio.doc.ic.ac.uk@DOC.IC.AC.UK,
Generic error (see e-text)
Feb 17 16:05:45 thoth.doc.ic.ac.uk krb5kdc[25860](info): TGS_REQ (9
etypes {18 17 16 23 25 26 1 3 2}) 146.169.46.230: NO PREAUTH: authtime
0, gmazza/root@DOC.IC.AC.UK for host/bacio.doc.ic.ac.uk@DOC.IC.AC.UK,
Generic error (see e-text)
I managed to solve the problem by upgrading my root principal
form DES to AES.
However on the client I have got:
client% head -5 /etc/krb5.conf
[appdefaults]
# [dwm] necessary for DOC.IC.AC.UK
allow_weak_crypto=true
...
I thought that would be enough to support old DES principal.
By the way ksu is the only kerberized application that does not work.
All the other still work. Even the ones where DES principals are used.
Anybody has experienced the same problem?
All the best,
Giuseppe
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
