Config for enctypes on *recieved* service tickets - Kerberos

This is a discussion on Config for enctypes on *recieved* service tickets - Kerberos ; Apologies if anybody sees this twice... I believe my first post failed. I'm facing a problem where a server side app leveraging gssapi on one of my linux boxes fails to honor all service tickets that are presented to it ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Config for enctypes on *recieved* service tickets

  1. Config for enctypes on *recieved* service tickets

    Apologies if anybody sees this twice... I believe my first post failed.

    I'm facing a problem where a server side app leveraging gssapi on one
    of my linux boxes fails to honor all service tickets that are presented
    to it by clients. The tickets are issued by a Windows KDC. The failure
    returned by gssapi is kerberos error 31 (decimal) AP_ERR_BAD_INTEGRITY.

    I am wondering if this related to the ciphers is play. I have been
    reading every doc I can get my hands on regarding krb5.conf, and I'm
    still not clear on what, if any, entry in krb5.conf would apply to
    enctypes to be used when decrypting service tickets recieved from
    clients.

    http://web.mit.edu/kerberos/www/krb5...ml#libdefaults
    says (paraphrasing):

    1) default_tgs_enctypes controls encryption used in TGS_REPs where we
    are acting as a KDC (not relevant to this scenario)

    2) default_tkt_enctypes controls enctypes to be requested in ticket
    requests, where we are acting as a client principal (also not relevant
    to this scenario)

    so that leaves

    3) permitted_enctypes which is described as "Identifies all
    encryption types that are permitted for use in session key
    encryption." Depending on how you read that sentence, that could be
    interpreted as being relevant to session key decryption.

    So, to sum up, if I am failing to accept service tickets that I am
    recieving as described above with error 31 BAD_INTEGRITY, do you think
    I should add a "permitted_enctypes" entry with the relevant ciphers(The
    Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5, depending on
    configuration), or am I barking up the completely wrong tree?

    In the latter case, can anyone suggest a better tree?

    Thanks

    -Matt


  2. Re: Config for enctypes on *recieved* service tickets

    Matt wrote:

    > So, to sum up, if I am failing to accept service tickets that I am
    > recieving as described above with error 31 BAD_INTEGRITY, do you think
    > I should add a "permitted_enctypes" entry with the relevant ciphers(The
    > Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5, depending on
    > configuration), or am I barking up the completely wrong tree?


    You do not want to restrict the enctypes that can be used.
    You need to make sure that you have key tab entries for all combinations
    of service name, kvno, and enctype that are being received by the
    service. A Bad Integrity error is most likely the result of having
    the wrong key in the keytab entry.

    Jeffrey Altman

    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

  3. Re: Config for enctypes on *recieved* service tickets

    Thanks!!!

    Is there a tool/command/method that I can use to parse/view the keytab
    to verify the items you mention?

    Cheers

    -Matt


  4. Re: Config for enctypes on *recieved* service tickets

    You can use klist -e -k -t keytab

    Regards
    Markus

    "Matt" wrote in message
    news:1128016212.083552.241290@z14g2000cwz.googlegr oups.com...
    > Thanks!!!
    >
    > Is there a tool/command/method that I can use to parse/view the keytab
    > to verify the items you mention?
    >
    > Cheers
    >
    > -Matt
    >




+ Reply to Thread