[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Roaming workstations broken

[Petter Reinholdtsen]
> Anyone understand enough of Kerberos to find a solution?

I found this line in kdc.log:

  Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes
    {18 17 16 23}) NEEDED_PREAUTH: pere@INTERN for
    krbtgt/INTERN@INTERN, Additional pre-authentication required

I then looked up what the etypes meant, and found
<URL: http://pig.made-it.com/kerberos-etypes.html > mapping IDs to

Added the names for 16-18,23 to krb5.conf on the main-server, and the
roaming workstation started working again.  This is the diff.

--- a/krb5.conf
+++ b/krb5.conf
@@ -1,7 +1,7 @@
         ## FIXME: needed because of #521878:
         allow_weak_crypto = true
-        permitted_enctypes = des-cbc-crc
+        permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
         default_realm = INTERN
 # Should probably use this in [libdefaults] to look up servers in DNS:
 #        dns_lookup_realm = false

I suspect it will work with any of the types in the
permitted_enctypes, but only tested with the last one.

Is this a good solution?  Which of the etypes should we permit?  Will
any of them cause problems with NFSv4?
Happy hacking
Petter Reinholdtsen

Reply to: