[16639] in Kerberos_V5_Development
Re: message size incompatible with type error for krb5-1.9 lib
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Feb 16 11:38:00 2011
From: Greg Hudson <ghudson@mit.edu>
To: "Elzey, Blaine A (Blaine)" <blaine.elzey@alcatel-lucent.com>
In-Reply-To: <0DEE3BCEE44BFD4EBC3B7DC009C8E792250702CF0E@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Date: Wed, 16 Feb 2011 11:37:55 -0500
Message-ID: <1297874275.5931.160.camel@t410>
Mime-Version: 1.0
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2011-02-16 at 10:16 -0500, Elzey, Blaine A (Blaine) wrote:
> "Message size is incompatible with encryption type" minor error is returned during gss_accept_sec_context. Previous error was "Encryption type not permitted" which was fixed by adding allow_weak_crypto = true to server's krb5.conf. This scenario is using SPNEGO. Any ideas what might be the problem, or a good place to look?
>
> Server (DNS) Solaris 10 with krb5-1.9 libraries
> KDC: Windows 2003 SP2 (32-bit)
> Client: binary on KDC (Windows SSPI) or statically linked krb5-1.1.1 binary on Server
I think this is a variation on:
http://mailman.mit.edu/pipermail/kerberos/2011-February/017033.html
http://mailman.mit.edu/pipermail/kerberos/2011-February/017035.html
although without the cross-realm. The code fix in the second message
should be applicable, if you're in a position to recompile.
People who are more familiar with AD: is there a way to flag a service
principal as not needing a PAC in its service tickets, as a workaround
for this kind of problem?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
