Hi All, Our Active Directory environment is running Windows Server 2008 R2 and we've recently started deploying Kerberos across many of our Linux machines for Apache web authentication/single sign on. We have hopes to extend this to SSH authentication as well.
In testing, we have had persistent issues with Kerberos sending a name-type of "unknown" where the Windows 2008 R2 RODC is expecting NT-SRV-INST on TGS principle names. This issue appears to affect both MIT and Heimdal implementations of Kerberos and is discussed in length at: http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/9166 It would appear this bug has been addressed in 1.9 (see http://src.mit.edu/fisheye/changelog/krb5/?cs=24438), however running Debian Lenny, we're still using the 1.6 branch. I have attempted to upgrade to 1.9 from the "experimental" repository, however this breaks too many dependencies to implement in production. Looking at how dramatically different the 1.6 and 1.9 branches are, I'm not confident enough to backport this patch myself, however I was hoping someone might be able to help with a patch for the 1.6 releases that Debian is currently shipping? Kind Regards, Jonathan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
