[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

trouble with forwarded tgt from windows client


We've been having some problems with forwarded TGT.  Specifically, we
have a Windows KDC, a Windows client which obtains a forwardable TGT and
sends it to Heimdal, and Heimdal's gss_accept_sec_context() successfully
returns the delegated credential.  However, when that credential is
passed to gss_init_sec_context() to obtain ticket for other services,
the Windows KDC returns "KDC has no support for checksum type".

Some investigations seem to suggest that the client's TGT has encryption
type des-cbc-md5, and based on that, Heimdal uses rsa-md5-des for
checksum, which Windows clearly doesn't support.  I know setting
default_etype in krb.conf to des-cbc-crc would normally solve such
problem, but it doesn't seem to work in this case because we are not
requesting the TGT ourselves.

So has anyone run into this problem before?  Is my guess of the cause
correct?  Any suggestion?  Thanks!

Zi-Bin Yang