Ralf Hildebrandt <[email protected]> writes: > After today's upgrade to testing, my users cannot authenticate against > ADS anymore. I'm getting:
> Apr 17 17:20:40 vpn-gw-int openvpn[11840]: pam_krb5(openvpn-krb5:auth): (user > tsteiner) credential verification failed: KDC has no support for encryption > type > "credential verification failed: KDC has no support for encryption type" > # klist -ke /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/[email protected] (des-cbc-crc) > 1 host/[email protected] (des-cbc-crc) > 1 openvpn-krb5/[email protected] (des-cbc-crc) > 1 host/[email protected] (des-cbc-crc) > 1 openvpn-krb5/[email protected] (des-cbc-crc) This is unrelated to libpam-krb5 itself; it doesn't care about the encryption type. It just calls the underlying Kerberos library. However, MIT Kerberos has dropped support for DES by default, and I'm guessing you upgraded that at the same time. The short version is that you need to add: allow_weak_crypto = true to the [libdefaults] section of your krb5.conf file if you want to continue to use DES. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
