This still afflicts me, so I took another look. Looking at the code I referenced in the patch above, I don't see how it can work *without* preauth - in kerberos5.c:_kdc_as_rep(), reply_key is NULL unless it's set at this line (ignoring PKINIT):
reply_key = &pa_key->key; Maybe there's some code missing at a higher level that is supposed to handle this condition rather than leaking it back to the client? In any case, I don't remember why I couldn't enable preauth before (maybe I still had some Kerberos 4 lying around?), but setting require-preauth does fix the problem for me now. For the not-clued-in amongst us, it might be nice to see some more documentation on preauth, ie what downside could there be to using it? As it stands about the only thing googling for "heimdal preauth" returns is the existance of the require-preauth krb5.conf option. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org