fixed 698534 1.11.2+dfsg-1 thanks On Sun, 26 May 2013, Christoph Anton Mitterer wrote:
See the attachments (kinit for what happened with plain kinit, kutil for what happened with the keytab).
Thanks for these. It looks like the salt that the KDC is sending back with the AS_REP is "CERN.CHchristoph.anton.mitterer", but the salt that ktutil would use is just "CERN.CHmitterer". Since these are not the same, the key generated by ktutil is different than the key on the KDC, and the encrypted timestamp preauthentication fails.
ktutil is not smart enough to allow the user to specify a non-default salt; if your KDC is in fact AD, you may need to use a ktpass.exe utility to generate an AES keytab for your principal.
The arcfour enctypes presumably worked because they do not use the salt parameter for key generation.
-Ben Kaduk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
