On Wednesday, October 11, 2006 06:06:08 PM -0500 John Hascall <[EMAIL PROTECTED]> wrote:
> >> Except the issue here is he's getting a DES_CBC_MD4 session key when he >> wants DES_CBC_CRC. The "why" is likely in the code you're quoting - >> DES_CBC_MD4 is a "better" enctype, and both sides appear to support it >> (since the single-des types are interchangeable). > >> I'd be curious to know how the resulting ticket is not "useful"; that >> is, what application is being used and what error results when >> attempting to use that ticket. > > Here is the error reported by the user: > > $ telnet -fax cerberus.ait.iastate.edu > Encryption is verbose > Trying 129.186.145.115... > Connected to cerberus.ait.iastate.edu. > Escape character is '^]'. > [ Trying mutual KERBEROS5 (host/[EMAIL PROTECTED])... ] > [ Kerberos V5 refuses authentication because telnetd: > krb5_rd_req failed: Encryption type not permitted ] > [ Trying KERBEROS5 (host/[EMAIL PROTECTED])... ] > [ Kerberos V5 refuses authentication because telnetd: > krb5_rd_req failed: Encryption type not permitted ] Is the telnetd also heimdal? That sounds like either the machine running telnetd is configured to require des-cbc-crc, or its keytab contains only a des-cbc-crc key. You can fix the latter problem by using ktutil to copy the keytab to a v4 srvtab and back. -- Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
