On 17/02/15 22:51, Benjamin Kaduk wrote:
> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>
>> On 17/02/15 17:36, Benjamin Kaduk wrote:
>>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
>>
>>
>> client% head -20 /etc/krb5.conf
>> [appdefaults]
>> # [dwm] necessary for DOC.IC.AC.UK
>> allow_weak_crypto=true
>>
>> [libdefaults]
>> default_realm = DOC.IC.AC.UK
>>
>> # The following krb5.conf variables are only for MIT Kerberos.
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>>
>> # [dwm] necessary for DOC.IC.AC.UK
>> allow_weak_crypto=true
>>
>> # The following encryption type specification will be used by MIT Kerberos
>> # if uncommented. In general, the defaults in the MIT Kerberos code are
>
> Are any of the encryption type specifications in the following lines of
> the file uncommented?
>
> I don't think we've heard any other reports of this sort of issue with
> ksu, and I don't think that its code does anything special that would fail
> to respect allow_weak_crypto, so I am rather puzzled at the behavior you
> are seeing.
>
> Also, you say you are upgrading to Ubuntu 14.04 with krb5
> 1.12+dfsg-2ubuntu5.1, but what version were you upgrading from? The krb5
> 1.10+dfsg~beta1-2ubuntu0.6 in Ubuntu 12.04?
>
>
> -Ben
>
Here is my /etc/krb5.conf
(I have double checked that there is no line with
the character '#' in the middle of a line):
---------------------------------------------------------------
client% grep -v '#' /etc/krb5.conf
[appdefaults]
allow_weak_crypto=true
[libdefaults]
default_realm = DOC.IC.AC.UK
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
allow_weak_crypto=true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOC.IC.AC.UK = {
default_domain = doc.ic.ac.uk
kdc = kerberos.doc.ic.ac.uk
kdc = kerberos1.doc.ic.ac.uk
kdc = kerberos2.doc.ic.ac.uk
admin_server = kerberos.doc.ic.ac.uk
auth_to_local = RULE:[1:$1]
auth_to_local = DEFAULT
}
[domain_realm]
.doc.ic.ac.uk = DOC.IC.AC.UK
doc.ic.ac.uk = DOC.IC.AC.UK
.ic.ac.uk = IC.AC.UK
ic.ac.uk = IC.AC.UK
[login]
krb4_convert = true
krb4_get_tickets = false
[pam]
forwardable = true
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
---------------------------------------------------------------
My previous version of the package is:
root@slave1:~# aptitude show krb5-admin-server | grep Version
Version: 1.12+dfsg-2ubuntu5
root@slave1:~# aptitude show krb5-kdc | grep Version
Version: 1.12+dfsg-2ubuntu5
root@slave1:~# aptitude show libkrb5-3 | grep Version
Version: 1.12+dfsg-2ubuntu5
root@slave1:~# aptitude show krb5-user | grep Version
Version: 1.12+dfsg-2ubuntu5
where slave1 is a kerberos server that I have not upgraded yet
---------
I have downloaded this version from
https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5
root@slave:~# uname -a
Linux slave.doc.ic.ac.uk 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3
21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Cheers,
Giuseppe
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
