Kerberos Authentication on Linux

Jörg Herzinger joerg at global2000.at
Thu Apr 1 06:59:39 PDT 2010


Ok, I made some progress. The KRB5CCNAME seems to be somewhat correct and in Firefox i edited negotiate-auth.*-uris to "cups.g2". If I now do a kdestroy and kinit as user and try to acces the cups interface I get the following KDC logs:


Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.42.42: ISSUE: authtime 1270130014, etypes {rep=16 tkt=18 ses=18}, joerg at GLOBAL2000.AT for HTTP/cups.g2 at GLOBAL200
0.AT
Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (1 etypes {18}) 192.168.42.42: BAD_ENCRYPTION_TYPE: authtime 1270130014,  joerg at GLOBAL2000.AT for krbtgt/GLOBAL2000.AT at GLOBAL2000.AT, KDC has no suppor
t for encryption type
Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.42.42: ISSUE: authtime 1270130014, etypes {rep=16 tkt=16 ses=16}, joerg at GLOBAL2000.AT for krbtgt/GLOBAL2000.AT at G
LOBAL2000.AT

And klist as user gives:
...
Default principal: joerg at GLOBAL2000.AT

Valid starting     Expires            Service principal
04/01/10 15:53:34  04/02/10 01:53:34  krbtgt/GLOBAL2000.AT at GLOBAL2000.AT
	renew until 04/01/10 15:53:34
04/01/10 15:53:54  04/02/10 01:53:34  HTTP/cups.g2@
	renew until 04/01/10 15:53:34
04/01/10 15:53:54  04/02/10 01:53:34  HTTP/cups.g2 at GLOBAL2000.AT
	renew until 04/01/10 15:53:34

The BAD_ENCRYPTION_TYPE seems to be the issue. I just don't know yet what to do with it.




More information about the cups mailing list