On 18/02/15 10:57, Giuseppe Mazza wrote: > On 17/02/15 22:51, Benjamin Kaduk wrote: >> On Tue, 17 Feb 2015, Giuseppe Mazza wrote: >> >>> On 17/02/15 17:36, Benjamin Kaduk wrote: >>>> On Tue, 17 Feb 2015, Giuseppe Mazza wrote: >>> >>> >>> client% head -20 /etc/krb5.conf >>> [appdefaults] >>> # [dwm] necessary for DOC.IC.AC.UK >>> allow_weak_crypto=true >>> >>> [libdefaults] >>> default_realm = DOC.IC.AC.UK >>> >>> # The following krb5.conf variables are only for MIT Kerberos. >>> krb4_config = /etc/krb.conf >>> krb4_realms = /etc/krb.realms >>> kdc_timesync = 1 >>> ccache_type = 4 >>> forwardable = true >>> proxiable = true >>> >>> # [dwm] necessary for DOC.IC.AC.UK >>> allow_weak_crypto=true >>> >>> # The following encryption type specification will be used by MIT >>> Kerberos >>> # if uncommented. In general, the defaults in the MIT Kerberos code are >> >> Are any of the encryption type specifications in the following lines of >> the file uncommented? >> >> I don't think we've heard any other reports of this sort of issue with >> ksu, and I don't think that its code does anything special that would >> fail >> to respect allow_weak_crypto, so I am rather puzzled at the behavior you >> are seeing. >> >> Also, you say you are upgrading to Ubuntu 14.04 with krb5 >> 1.12+dfsg-2ubuntu5.1, but what version were you upgrading from? The krb5 >> 1.10+dfsg~beta1-2ubuntu0.6 in Ubuntu 12.04? >> >> >> -Ben >> > > Here is my /etc/krb5.conf > (I have double checked that there is no line with > the character '#' in the middle of a line): > > --------------------------------------------------------------- > client% grep -v '#' /etc/krb5.conf > [appdefaults] > allow_weak_crypto=true > > [libdefaults] > default_realm = DOC.IC.AC.UK > > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > allow_weak_crypto=true > > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > DOC.IC.AC.UK = { > default_domain = doc.ic.ac.uk > kdc = kerberos.doc.ic.ac.uk > kdc = kerberos1.doc.ic.ac.uk > kdc = kerberos2.doc.ic.ac.uk > admin_server = kerberos.doc.ic.ac.uk > auth_to_local = RULE:[1:$1] > auth_to_local = DEFAULT > } > > [domain_realm] > .doc.ic.ac.uk = DOC.IC.AC.UK > doc.ic.ac.uk = DOC.IC.AC.UK > .ic.ac.uk = IC.AC.UK > ic.ac.uk = IC.AC.UK > > [login] > krb4_convert = true > krb4_get_tickets = false > > [pam] > forwardable = true > > [logging] > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > > --------------------------------------------------------------- > My previous version of the package is: > > root@slave1:~# aptitude show krb5-admin-server | grep Version > Version: 1.12+dfsg-2ubuntu5 > root@slave1:~# aptitude show krb5-kdc | grep Version > Version: 1.12+dfsg-2ubuntu5 > root@slave1:~# aptitude show libkrb5-3 | grep Version > Version: 1.12+dfsg-2ubuntu5 > root@slave1:~# aptitude show krb5-user | grep Version > Version: 1.12+dfsg-2ubuntu5 > > where slave1 is a kerberos server that I have not upgraded yet > --------- > > > I have downloaded this version from > https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5 > > > root@slave:~# uname -a > Linux slave.doc.ic.ac.uk 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 > 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > > > Cheers, > Giuseppe
(I have shortned the word "collegue" sometimes for better formatting) A collegue of mine lets me know that it could be a different issue. Here is his root principal: kadmin.local: get_principal collegue/root Principal: collegue/r...@doc.ic.ac.uk Expiration date: [never] Last password change: Thu Feb 24 11:40:22 GMT 2011 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Feb 18 11:26:15 GMT 2015 (colleg/ad...@doc.ic.ac.uk) Last successful authentication: Wed Feb 18 11:26:22 GMT 2015 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 2, des3-cbc-sha1, no salt Key: vno 2, des-cbc-crc, no salt Key: vno 2, des-cbc-crc, Version 4 Key: vno 2, des-cbc-crc, AFS version 3 Key: vno 2, arcfour-hmac, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: default (Please note the user has got a DES root principals) kadmin.local: get_principal host/client.doc.ic.ac.uk Principal: host/client.doc.ic.ac...@doc.ic.ac.uk Expiration date: [never] Last password change: Tue Feb 17 16:06:24 GMT 2015 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Feb 18 11:25:40 GMT 2015 (colleg/ad...@doc.ic.ac.uk) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 2, aes256-cts-hmac-sha1-96, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: machine If the user does not have "Attributes: REQUIRES_PRE_AUTH" and the machine does ksu fails with the error message that I have posted. If the machine does not have "Attributes: REQUIRES_PRE_AUTH" ksu works regardless the user's setting. Cheers, Giuseppe ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos