[28977] in Kerberos
Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors about
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Jan 7 11:16:48 2008
Message-ID: <4782503F.1080100@anl.gov>
Date: Mon, 07 Jan 2008 10:15:59 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Jason D. McCormick" <jason@devrandom.org>
In-Reply-To: <47824C28.7040004@devrandom.org>
Cc: "Richard E. Silverman" <res@qoxp.net>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jason D. McCormick wrote:
> Douglas E. Engert wrote:
>
>> The problem might be that on the AD account the UserAccountControl flag
>> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an
>> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option
>> to set this.
>>
>> See kb 305144 too.
>
> I'll give that a shot, thanks.
>
>> Why are you using DES? All the newer Kerberos can use ArcFour. So try
>> ktpass witout the crypto option.
>
> Do you know if the Linux NFSv4 stuff can use ArcFour? I've only been
> able to find (older - circa '06) docs that state the only working type
> is des-cbc-crc.
Don't know, but a lot of the developers on the nfsv4@ietf.org list are also
on the Kerberos list.
>
> - Jason
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
