On 3/14/06, Ian Grant wrote:
> Hi Sam,
>
> Thanks.
>
> On 14 Mar 2006, at 15:25, Sam Evans wrote:
>
> So you can do gssapi-with-mic with a Windows 2003 KDC? What version
> of OpenSSH do you use?


Yes. The windows machines in my environment are able to use a
kerberized version of Putty to log into the unix machines by accepting
the kerberos ticket issued to them by the DC.

Additionally, Unix machines are able to grab a krb5 ticket from the DC
and then SSO authentication works from machine to machine.

I am using OpenSSH 4.2p1 as well as 4.3p2.

>
> > On your KTPASS.EXE command line, add the following switch: -crypto
> > DES-CBC-MD5

>
> That's what I had before, and it didn't work, so I mailed this list.
> I was advised to try DES-CBC-CRC instead.
>


Hmm, like I said, I read somewhere that 2K3 didn't support CRC mode,
but it may have been wrong.

> In addition I'm using NFS v4 with krb5 authentication so I have a
> restricted set of available enctypes: The NFS stuff needs it to be
> either des-cbc-crc or des-cbc-md5 so I have to have something like
> this in krb5.conf


Okay, you can also specify des-cbc-md5 in addition to what you have
there in the krb5.conf file. I think my specifying only crc in your
..conf file, kerberos will only use it and nothing else.

i.e.:

default_tkt_enctypes =3D des-cbc-crc des-cbc-md5
default_tgs_enctypes =3D des-cbc-crc des-cbc-md5
permitted_enctypes =3D des-cbc-crc des-cbc-md5

> Thanks for the pointer. I'll have a look.


No problem. It took me a while to get everything working, but once it
does, it really is very nice.