Re: gssapi-with-mic and a Windows AD KDC



On 3/14/06, Ian Grant <ian.grant@xxxxxxxxxxxx> wrote:
Hi Sam,

Thanks.

On 14 Mar 2006, at 15:25, Sam Evans wrote:

So you can do gssapi-with-mic with a Windows 2003 KDC? What version
of OpenSSH do you use?

Yes. The windows machines in my environment are able to use a
kerberized version of Putty to log into the unix machines by accepting
the kerberos ticket issued to them by the DC.

Additionally, Unix machines are able to grab a krb5 ticket from the DC
and then SSO authentication works from machine to machine.

I am using OpenSSH 4.2p1 as well as 4.3p2.


On your KTPASS.EXE command line, add the following switch: -crypto
DES-CBC-MD5

That's what I had before, and it didn't work, so I mailed this list.
I was advised to try DES-CBC-CRC instead.


Hmm, like I said, I read somewhere that 2K3 didn't support CRC mode,
but it may have been wrong.

In addition I'm using NFS v4 with krb5 authentication so I have a
restricted set of available enctypes: The NFS stuff needs it to be
either des-cbc-crc or des-cbc-md5 so I have to have something like
this in krb5.conf

Okay, you can also specify des-cbc-md5 in addition to what you have
there in the krb5.conf file. I think my specifying only crc in your
.conf file, kerberos will only use it and nothing else.

i.e.:

default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
permitted_enctypes = des-cbc-crc des-cbc-md5

Thanks for the pointer. I'll have a look.

No problem. It took me a while to get everything working, but once it
does, it really is very nice.