Re: Roaming workstations broken
[Petter Reinholdtsen]
> Anyone understand enough of Kerberos to find a solution?
I found this line in kdc.log:
Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for
krbtgt/INTERN@INTERN, Additional pre-authentication required
I then looked up what the etypes meant, and found
<URL: http://pig.made-it.com/kerberos-etypes.html > mapping IDs to
names.
Added the names for 16-18,23 to krb5.conf on the main-server, and the
roaming workstation started working again. This is the diff.
--- a/krb5.conf
+++ b/krb5.conf
@@ -1,7 +1,7 @@
[libdefaults]
## FIXME: needed because of #521878:
allow_weak_crypto = true
- permitted_enctypes = des-cbc-crc
+ permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
default_realm = INTERN
# Should probably use this in [libdefaults] to look up servers in DNS:
# dns_lookup_realm = false
I suspect it will work with any of the types in the
permitted_enctypes, but only tested with the last one.
Is this a good solution? Which of the etypes should we permit? Will
any of them cause problems with NFSv4?
--
Happy hacking
Petter Reinholdtsen
Reply to: