On 17/02/15 22:51, Benjamin Kaduk wrote: > On Tue, 17 Feb 2015, Giuseppe Mazza wrote: > >> On 17/02/15 17:36, Benjamin Kaduk wrote: >>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote: >> >> >> client% head -20 /etc/krb5.conf >> [appdefaults] >> # [dwm] necessary for DOC.IC.AC.UK >> allow_weak_crypto=true >> >> [libdefaults] >> default_realm = DOC.IC.AC.UK >> >> # The following krb5.conf variables are only for MIT Kerberos. >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> >> # [dwm] necessary for DOC.IC.AC.UK >> allow_weak_crypto=true >> >> # The following encryption type specification will be used by MIT Kerberos >> # if uncommented. In general, the defaults in the MIT Kerberos code are > > Are any of the encryption type specifications in the following lines of > the file uncommented? > > I don't think we've heard any other reports of this sort of issue with > ksu, and I don't think that its code does anything special that would fail > to respect allow_weak_crypto, so I am rather puzzled at the behavior you > are seeing. > > Also, you say you are upgrading to Ubuntu 14.04 with krb5 > 1.12+dfsg-2ubuntu5.1, but what version were you upgrading from? The krb5 > 1.10+dfsg~beta1-2ubuntu0.6 in Ubuntu 12.04? > > > -Ben >
Here is my /etc/krb5.conf (I have double checked that there is no line with the character '#' in the middle of a line): --------------------------------------------------------------- client% grep -v '#' /etc/krb5.conf [appdefaults] allow_weak_crypto=true [libdefaults] default_realm = DOC.IC.AC.UK krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true allow_weak_crypto=true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] DOC.IC.AC.UK = { default_domain = doc.ic.ac.uk kdc = kerberos.doc.ic.ac.uk kdc = kerberos1.doc.ic.ac.uk kdc = kerberos2.doc.ic.ac.uk admin_server = kerberos.doc.ic.ac.uk auth_to_local = RULE:[1:$1] auth_to_local = DEFAULT } [domain_realm] .doc.ic.ac.uk = DOC.IC.AC.UK doc.ic.ac.uk = DOC.IC.AC.UK .ic.ac.uk = IC.AC.UK ic.ac.uk = IC.AC.UK [login] krb4_convert = true krb4_get_tickets = false [pam] forwardable = true [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log --------------------------------------------------------------- My previous version of the package is: root@slave1:~# aptitude show krb5-admin-server | grep Version Version: 1.12+dfsg-2ubuntu5 root@slave1:~# aptitude show krb5-kdc | grep Version Version: 1.12+dfsg-2ubuntu5 root@slave1:~# aptitude show libkrb5-3 | grep Version Version: 1.12+dfsg-2ubuntu5 root@slave1:~# aptitude show krb5-user | grep Version Version: 1.12+dfsg-2ubuntu5 where slave1 is a kerberos server that I have not upgraded yet --------- I have downloaded this version from https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5 root@slave:~# uname -a Linux slave.doc.ic.ac.uk 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Cheers, Giuseppe ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos