Kerberos client side default_tkt_enctypes problem
Andrew Bartlett
abartlet at samba.org
Wed Nov 17 18:12:31 MST 2010
On Wed, 2010-11-17 at 07:34 +1100, Andrew Bartlett wrote:
> On Tue, 2010-11-16 at 17:41 +0200, Zahari Zahariev wrote:
> > Hi Andrew,
> >
> > I have strange but easy to reproduce problem with client side krb5.conf
> > and latest Samba4.
> >
> > I have 2 machines 1 DC with Samba4 and one other Linux that has the
> > following /etc/krb5.conf:
> >
> > ===
> > [libdefaults]
> > default_realm = AUTOINST.TEST
> > default_tkt_enctypes = des-cbc-md5; or des-cbc-crc
> > default_tgs_enctypes = des-cbc-md5; or des-cbc-crc
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> >
> > [realms]
> > AUTOINST.TEST = {
> > kdc = centos5a.autoinst.test:88
> > kpasswd_server = centos5a.autoinst.test:464
> > }
> > ===
> >
> > When you try to run "kinit administrator at AUTOINST.TEST" on the client
> > machine the result is:
> >
> > kinit(v5): Cannot contact any KDC for realm 'AUTOINST.TEST' while
> > getting initial credentials
> >
> > Here comes the tricky part. If you remove "default_tkt_enctypes" line
> > from the client krb5.conf everything works fine. Is this something
> > Samba4 does not support?
>
> Modern kerberos distributions do not allow the use of weak crypto by
> default, and so for heimdal (presumably the same for MIT) you must set:
>
> [libdefaults]
> allow_weak_crypto = yes
>
> before the des types will work.
BTW, this is also the setting that must be applied to the Samba4 KDC for
it to support the weak crypto.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101118/e91c5d74/attachment.pgp>
More information about the samba-technical
mailing list