From: [EMAIL PROTECTED] > >Assuming this works for you, I'd be interested in knowing > what the exact > >nature of the problem is, I hate fixing something blindly > without knowing > >why it's fixed. > > this has fixed most of the problems, except i can't ssh out > from the KDC using > kerberos auth. messing with broken_des3_mic = host/[EMAIL PROTECTED] > will probably fix > that, haven't tried it yet. > > i think this reflects that current has heimdal 0.7 and 3.9 > release has 0.6. see > http://www.thebestisp.com/man.php/man/gssapi/3 . again, i > have not throroughly > checked this.
To turn on compatibility with older clients and servers, change the [gssapi] broken_des3_mic in krb5.conf that contains a list of globbing expressions that will be matched against the server name. To turn off generation of the old (incompatible) mic of the MIC use [gssapi] correct_des3_mic. So maybe you need 'broken_des3_mic' on the KDC instead of 'correct_des3_mic'. DS