On 3/14/06, Ian Grant <[EMAIL PROTECTED]> wrote: > Hi Sam, > > Thanks. > > On 14 Mar 2006, at 15:25, Sam Evans wrote: > > So you can do gssapi-with-mic with a Windows 2003 KDC? What version > of OpenSSH do you use?
Yes. The windows machines in my environment are able to use a kerberized version of Putty to log into the unix machines by accepting the kerberos ticket issued to them by the DC. Additionally, Unix machines are able to grab a krb5 ticket from the DC and then SSO authentication works from machine to machine. I am using OpenSSH 4.2p1 as well as 4.3p2. > > > On your KTPASS.EXE command line, add the following switch: -crypto > > DES-CBC-MD5 > > That's what I had before, and it didn't work, so I mailed this list. > I was advised to try DES-CBC-CRC instead. > Hmm, like I said, I read somewhere that 2K3 didn't support CRC mode, but it may have been wrong. > In addition I'm using NFS v4 with krb5 authentication so I have a > restricted set of available enctypes: The NFS stuff needs it to be > either des-cbc-crc or des-cbc-md5 so I have to have something like > this in krb5.conf Okay, you can also specify des-cbc-md5 in addition to what you have there in the krb5.conf file. I think my specifying only crc in your .conf file, kerberos will only use it and nothing else. i.e.: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 permitted_enctypes = des-cbc-crc des-cbc-md5 > Thanks for the pointer. I'll have a look. No problem. It took me a while to get everything working, but once it does, it really is very nice.
