Kerberos Authentication on Linux
Jörg Herzinger
joerg at global2000.at
Thu Apr 1 06:59:39 PDT 2010
Ok, I made some progress. The KRB5CCNAME seems to be somewhat correct and in Firefox i edited negotiate-auth.*-uris to "cups.g2". If I now do a kdestroy and kinit as user and try to acces the cups interface I get the following KDC logs:
Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.42.42: ISSUE: authtime 1270130014, etypes {rep=16 tkt=18 ses=18}, joerg at GLOBAL2000.AT for HTTP/cups.g2 at GLOBAL200
0.AT
Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (1 etypes {18}) 192.168.42.42: BAD_ENCRYPTION_TYPE: authtime 1270130014, joerg at GLOBAL2000.AT for krbtgt/GLOBAL2000.AT at GLOBAL2000.AT, KDC has no suppor
t for encryption type
Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.42.42: ISSUE: authtime 1270130014, etypes {rep=16 tkt=16 ses=16}, joerg at GLOBAL2000.AT for krbtgt/GLOBAL2000.AT at G
LOBAL2000.AT
And klist as user gives:
...
Default principal: joerg at GLOBAL2000.AT
Valid starting Expires Service principal
04/01/10 15:53:34 04/02/10 01:53:34 krbtgt/GLOBAL2000.AT at GLOBAL2000.AT
renew until 04/01/10 15:53:34
04/01/10 15:53:54 04/02/10 01:53:34 HTTP/cups.g2@
renew until 04/01/10 15:53:34
04/01/10 15:53:54 04/02/10 01:53:34 HTTP/cups.g2 at GLOBAL2000.AT
renew until 04/01/10 15:53:34
The BAD_ENCRYPTION_TYPE seems to be the issue. I just don't know yet what to do with it.
More information about the cups
mailing list