On Thu, 2004-06-03 at 08:38, Karsten Petersen wrote: > Hi, > > after some more testing and playing around with krb5.conf directives I > believe that I have found the problem: > > Karsten Petersen wrote: > > we have a KDC (Heimdal 0.6.2) running for a test. kinit works, it > > successfully provides users with krb4 and krb5 TGTs. > Because we want to migrate our AFS to Heimdal Kerberos5, we have the > AFS-salt (and the v4-salt) activated on the kdc. > I have the same configuration Heimdal 0.6 kdc on a SUN network. > > 0. A service principal was created on the KDC. > And this principal got by default not only v5-salted keys, but also v4- > and AFS-salted. > > > A krb5 keytab on the GSS test machine was created by calling Heimdal's > > kadmin with "ext_keytab *hostname*". > This exported all keys to the keytab, which therefore ended up with > several keys per encryption type. > > > The keytab contains 10 different encryptions of the service key. > 3 x des-cbc-crc > 3 x des-cbc-md4 > 3 x des-cbc-md5 > 1 x des3-cbc-hmac > > > 1. GSS client- and server-app on the GSS test machine both use MIT > > Kerberos5 1.3.1. This works like a charm. > Yeah, because it took the des3-cbc-hmac key. If forced to some other > encryption type, it did not work too. > > After deleting the principal on the server, recreating it only with > v5-salted keys and exporting it again - everything worked. > > > So where is the problem? > It seems to me that MIT Kerberos5 1.3.1 is not able to handle keytab > files with several keys of the same encryption type (but different > salts). I had exactly the same problem to runn Sun Microsystems NFS using Heimdal KDC instead of the Mit based krb5kdc. In my case I didn't remove the encrytio types from the KDC server, but I DO delete the extra entries from the /etc/krb5/krb5.keytab SUN-MIT dependent file ( Because the SUN NFS use native kr5 library from MIT) > Or is there some magical krb5.conf option I did not find yet? > > Best wishes, > Karsten Petersen
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
