This is a discussion on Config for enctypes on *recieved* service tickets - Kerberos ; I'm facing a problem where an app leveraging gssapi on one of my linux boxes fails to decrypt service tickets it recieves from clients. The tickets are issued by a Windows KDC. The failure returned by gssapi is kerberos error ...
I'm facing a problem where an app leveraging gssapi on one of my linux
boxes fails to decrypt service tickets it recieves from clients. The
tickets are issued by a Windows KDC. The failure returned by gssapi is
kerberos error 31 (decimal) AP_ERR_BAD_INTEGRITY.
I am wondering if this related to the ciphers is play. I have been
reading every doc I can get my hands on regarding krb5.conf, and I'm
still not clear on what, if any, entry in krb5.conf would apply to
enctypes to be used when decrypting service tickets recieved from
1) default_tgs_enctypes controls encryption used in TGS_REPs where we
are acting as a KDC (not relevant to this scenario)
2) default_tkt_enctypes controls enctypes to be requested in ticket
requests, where we are acting as a client principal (also not relevant
to this scenario)
so that leaves
3) permitted_enctypes which is described as "Identifies all
encryption types that are permitted for use in session key
encryption." Depending on how you read that sentence, that could be
interpreted as being relevant to session key decryption.
So, to sum up, if I am failing to accept service tickets that I am
recieving as described above with error 31 BAD_INTEGRITY, do you think
I should add a "permitted_enctypes" entry with the relevant ciphers
(The Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5,
depending on configuration), or am I barking up the completely wrong
In the latter case, can anyone suggest a better tree?
Kerberos mailing list Kerberos@mit.edu