Config for enctypes on *recieved* service tickets

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Config for enctypes on *recieved* service tickets

Matt Reynolds
I'm facing a problem where an app leveraging gssapi on one of my linux
boxes fails to decrypt service tickets it recieves from clients. The
tickets are issued by a Windows KDC. The failure returned by gssapi is
kerberos error 31 (decimal) AP_ERR_BAD_INTEGRITY.

I am wondering if this related to the ciphers is play. I have been
reading every doc I can get my hands on regarding krb5.conf, and I'm
still not clear on what, if any, entry in krb5.conf would apply to
enctypes to be used when decrypting service tickets recieved from

 1) default_tgs_enctypes controls encryption used in TGS_REPs where we
are acting as a KDC (not relevant to this scenario)

 2) default_tkt_enctypes controls enctypes to be requested in ticket
requests, where we are acting as a client principal (also not relevant
to this scenario)

so that leaves

 3) permitted_enctypes which is described as "Identifies all
encryption types that are permitted for use in session key
encryption." Depending on how you read that sentence, that could be
interpreted as being relevant to session key decryption.

So, to sum up, if I am failing to accept service tickets that I am
recieving as described above with error 31 BAD_INTEGRITY, do you think
I should add a "permitted_enctypes" entry with the relevant ciphers
(The Windows KDC appears to be using RC4-HMAC or DES-CBC-MD5,
depending on configuration), or am I barking up the completely wrong

In the latter case, can anyone suggest a better tree?



Kerberos mailing list           [hidden email]