Kerberos client side default_tkt_enctypes problem
Andrew Bartlett
abartlet at samba.org
Tue Nov 16 13:34:20 MST 2010
On Tue, 2010-11-16 at 17:41 +0200, Zahari Zahariev wrote:
> Hi Andrew,
>
> I have strange but easy to reproduce problem with client side krb5.conf
> and latest Samba4.
>
> I have 2 machines 1 DC with Samba4 and one other Linux that has the
> following /etc/krb5.conf:
>
> ===
> [libdefaults]
> default_realm = AUTOINST.TEST
> default_tkt_enctypes = des-cbc-md5; or des-cbc-crc
> default_tgs_enctypes = des-cbc-md5; or des-cbc-crc
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> AUTOINST.TEST = {
> kdc = centos5a.autoinst.test:88
> kpasswd_server = centos5a.autoinst.test:464
> }
> ===
>
> When you try to run "kinit administrator at AUTOINST.TEST" on the client
> machine the result is:
>
> kinit(v5): Cannot contact any KDC for realm 'AUTOINST.TEST' while
> getting initial credentials
>
> Here comes the tricky part. If you remove "default_tkt_enctypes" line
> from the client krb5.conf everything works fine. Is this something
> Samba4 does not support?
Modern kerberos distributions do not allow the use of weak crypto by
default, and so for heimdal (presumably the same for MIT) you must set:
[libdefaults]
allow_weak_crypto = yes
before the des types will work.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101117/ea63fe8d/attachment.pgp>
More information about the samba-technical
mailing list