[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mixing heimdal and MIT clients.

To: heimdal-discuss@sics.se, "Timothy J. Miller" <tmiller@mitre.org>
Subject: Re: Mixing heimdal and MIT clients.
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 15 Jan 2008 10:12:54 -0800
In-Reply-To: <1DD61B5D-9109-4A91-90D5-7810B7C3837A@mitre.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <F7D740EB-F4B8-414C-931F-1129E98B6064@mitre.org> <482D441D7F94BE77606CA984@90273E0ED7A6C4458FE339F4> <61B120EF-5D93-4F18-ADD7-B1BD469D5E16@mitre.org> <4E076C48-202D-4D18-A9E0-32C778C716D1@mitre.org> <1DD61B5D-9109-4A91-90D5-7810B7C3837A@mitre.org>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

I think all reasonably current distro's should work with all enctypes  
these days.

If the smbclient is linked against some Kerberos (e.g. a local/old  
version of Heimdal) that doesn't support all types, then you should  
find out what types are supported, and limit the types in its service  
principal to match.  (There's an entry in the Kerberos FAQ on this.)

If you do a kinit or pam_krb5 with one library that supports more  
enctypes (e.g. AES256) than the other then the other library will  
lose.  Either use the least capable library for the initial ticket,  
or limit the enctypes on the initial ticket.

On Jan 15, 2008, at 7:39 AM, Timothy J. Miller wrote:

>
> On Jan 15, 2008, at 8:48 AM, Timothy J. Miller wrote:
>
>> On Jan 15, 2008, at 8:35 AM, Timothy J. Miller wrote:
>>
>>> heimdal/klist works fine but I don't have the MIT klist installed  
>>> on the client system.
>>
>> OK, so compiling MIT took less time than I thought.  MIT klist  
>> works just fine with the heimdal-obtained ccache.
>>
>> So now I'm at a total loss as to what's happening.
>
> On a hint from another mailing list, I nuked the following from  
> krb5.conf [libdefaults]:
>
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
> Which were included by default by Ubuntu's krb5-common package.   
> Despite the fact that these didn't prevent heimdal clients from  
> working, those two lines certainly hosed up the MIT clients.
>
> With them gone, everything works now.
>
> Guess I need to read more about enctypes and their effects in both  
> libraries.
>
> -- Tim

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Mixing heimdal and MIT clients.
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: Mixing heimdal and MIT clients.
  - From: =?UTF-8?Q?M=C3=A5ns_Nilsson?= <mansaxel@kthnoc.net>
- Re: Mixing heimdal and MIT clients.
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: Mixing heimdal and MIT clients.
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: Mixing heimdal and MIT clients.
  - From: "Timothy J. Miller" <tmiller@mitre.org>

Prev by Date: Listing of Gynecologists etc..
Next by Date: No Subject
Prev by thread: Re: Mixing heimdal and MIT clients.
Next by thread: Re: Mixing heimdal and MIT clients.
Index(es):
- Date
- Thread