This is a discussion on Re: gssapi-with-mic and a Windows AD KDC - openssh ; On 3/14/06, Ian Grant wrote: > Hi Sam, > > Thanks. > > On 14 Mar 2006, at 15:25, Sam Evans wrote: > > So you can do gssapi-with-mic with a Windows 2003 KDC? What version > of OpenSSH do ...
On 3/14/06, Ian Grant
> Hi Sam,
> On 14 Mar 2006, at 15:25, Sam Evans wrote:
> So you can do gssapi-with-mic with a Windows 2003 KDC? What version
> of OpenSSH do you use?
Yes. The windows machines in my environment are able to use a
kerberized version of Putty to log into the unix machines by accepting
the kerberos ticket issued to them by the DC.
Additionally, Unix machines are able to grab a krb5 ticket from the DC
and then SSO authentication works from machine to machine.
I am using OpenSSH 4.2p1 as well as 4.3p2.
> > On your KTPASS.EXE command line, add the following switch: -crypto
> > DES-CBC-MD5
> That's what I had before, and it didn't work, so I mailed this list.
> I was advised to try DES-CBC-CRC instead.
Hmm, like I said, I read somewhere that 2K3 didn't support CRC mode,
but it may have been wrong.
> In addition I'm using NFS v4 with krb5 authentication so I have a
> restricted set of available enctypes: The NFS stuff needs it to be
> either des-cbc-crc or des-cbc-md5 so I have to have something like
> this in krb5.conf
Okay, you can also specify des-cbc-md5 in addition to what you have
there in the krb5.conf file. I think my specifying only crc in your
..conf file, kerberos will only use it and nothing else.
default_tkt_enctypes =3D des-cbc-crc des-cbc-md5
default_tgs_enctypes =3D des-cbc-crc des-cbc-md5
permitted_enctypes =3D des-cbc-crc des-cbc-md5
> Thanks for the pointer. I'll have a look.
No problem. It took me a while to get everything working, but once it
does, it really is very nice.