[Bug 567188] Re: krb5 and ADS error using 10.04, not 9.04

[Troc Ster]

I have encountered this issue as well. I use pam_kerberos and AD for
authentication and login authorization; this works fine.

However this issue affects kerberos mediated Single Sign On to apache
sites using  mod_auth_kerb.so version 5.1 on the web server and the krb5
libraries on 10.04 (this used to work fine in 9.04). The SSO web
authetication fails and falls back to less desirable methods (username
password)

The issue is resolve by adding "allow_weak_crypto = true" in
/etc/krb5.conf

Package: krb5-user
Version: 1.8.1+dfsg-2

Package: firefox
Version: 3.6.3+nobinonly-0ubuntu4

the wireshark trace shows the client doing a TGS-REQ to the kdc where the 
padata: PA-TGS-REQ 
    -> value .. AP-REQ 
        -> Authenticator rc4-hmac 
            -> Encryption type: rc4-hmac (23)
            -> Authenticator data: ........

the response is a KRB-ERROR with error code KRB5KDC_ERR_ETYPE_NOSUPP

after  adding "allow_weak_crypto = true" the TGS-REQ to the kdc is
responded with a TGS-REP which includes a ticket. The SSO session with
the apache server continues, and the wireshark trace shows the following
in the http headers :

GSS-API 
    -> SPNEGO 
         -> netTOkenInit 
                -> krb5_blob 
                       -> Kerberos AP-REQ 
                             -> Authenticator des-cbc-crc 
                                    -> Encryption type: des-cbc-crc (1)
                                    -> Autheticator data: ....

will add more info if needed. For now the the extra line works. Thank
you for the suggestion.

-- 
krb5 and ADS error using 10.04, not 9.04
https://bugs.launchpad.net/bugs/567188
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.