Apologies if anybody sees this twice... I believe my first post failed. I'm facing a problem where a server side app leveraging gssapi on one of my linux boxes fails to honor all service tickets that are presented to it by clients. The tickets are issued by a Windows KDC. The failure returned by gssapi is kerberos error 31 (decimal) AP_ERR_BAD_INTEGRITY.
I am wondering if this related to the ciphers is play. I have been reading every doc I can get my hands on regarding krb5.conf, and I'm still not clear on what, if any, entry in krb5.conf would apply to enctypes to be used when decrypting service tickets recieved from clients. http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5admin/libdefaults.html#libdefaults says (paraphrasing): 1) default_tgs_enctypes controls encryption used in TGS_REPs where we are acting as a KDC (not relevant to this scenario) 2) default_tkt_enctypes controls enctypes to be requested in ticket requests, where we are acting as a client principal (also not relevant to this scenario) so that leaves 3) permitted_enctypes which is described as "Identifies all encryption types that are permitted for use in session key encryption." Depending on how you read that sentence, that could be interpreted as being relevant to session key decryption. So, to sum up, if I am failing to accept service tickets that I am recieving as described above with error 31 BAD_INTEGRITY, do you think I should add a "permitted_enctypes" entry with the relevant ciphers(The Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5, depending on configuration), or am I barking up the completely wrong tree? In the latter case, can anyone suggest a better tree? Thanks -Matt ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
