Re: gssapi-with-mic and a Windows AD KDC

On 3/14/06, Ian Grant <ian.grant@cl.cam.ac.uk> wrote:
> Hi Sam,
>
> Thanks.
>
> On 14 Mar 2006, at 15:25, Sam Evans wrote:
>
> So you can do gssapi-with-mic with a Windows 2003 KDC? What version
> of OpenSSH do you use?

Yes.  The windows machines in my environment are able to use a
kerberized version of Putty to log into the unix machines by accepting
the kerberos ticket issued to them by the DC.

Additionally, Unix machines are able to grab a krb5 ticket from the DC
and then SSO authentication works from machine to machine.

I am using OpenSSH 4.2p1 as well as 4.3p2.

> > On your KTPASS.EXE command line, add the following switch: -crypto
> > DES-CBC-MD5
>
> That's what I had before, and it didn't work, so I mailed this list.
> I was advised to try DES-CBC-CRC instead.

Hmm, like I said, I read somewhere that 2K3 didn't support CRC mode,
but it may have been wrong.

> In addition I'm using NFS v4 with krb5 authentication so I have a
> restricted set of available enctypes: The NFS stuff needs it to be
> either des-cbc-crc or des-cbc-md5 so I have to have something like
> this in krb5.conf

Okay, you can also specify des-cbc-md5 in addition to what you have
there in the krb5.conf file.  I think my specifying only crc in your
.conf file, kerberos will only use it and nothing else.

i.e.:

default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
permitted_enctypes = des-cbc-crc des-cbc-md5

> Thanks for the pointer. I'll have a look.

No problem.  It took me a while to get everything working, but once it
does, it really is very nice.