[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gss problem, invalid cksum type

On Wed, 15 Mar 2006 16:07:03 -0500 (EST)
rick@snowhite.cis.uoguelph.ca wrote:

> Hi,
> I'm using heimdal-0.7.2 for the gssd for my NFSv2,3,4 client/server that
> supports RPCSEC_GSS. Everything seems to work fine here, where I have a
> rather old (1.2.n) MIT KDC. However, when it was recently tested at a
> site that uses a Solaris KDC, the gss_init_sec_context() kept failing and
> the Solaris KDC logged "invalid checksum type" (or something like that).
> The keytabs involved just used des-cbc-crc:normal, which works fine here.

GSSAPI uses the GSSAPI specific 0x8003 checksum type but with CIFS
authentication a standard MD5 checksum is used. Maybe you're having a
similar problem.

Take a capture w/ the kinit and NFS authentication. Ethereal will decrypt
the authenticator if it sees the necessary key in a previous frame. At
least it will for CIFS authentications. Look for differences between
your working server vs. broken (e.g. authenticator checksum).