Kerberos Authentication on Linux

[Jörg Herzinger]

> Ok, I made some progress. The KRB5CCNAME seems to be somewhat correct and in Firefox i edited negotiate-auth.*-uris to "cups.g2". If I now do a kdestroy and kinit as user and try to acces the cups interface I get the following KDC logs:
>
>
> Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.42.42: ISSUE: authtime 1270130014, etypes {rep=16 tkt=18 ses=18}, joerg at GLOBAL2000.AT for HTTP/cups.g2 at GLOBAL200
> 0.AT
> Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (1 etypes {18}) 192.168.42.42: BAD_ENCRYPTION_TYPE: authtime 1270130014,  joerg at GLOBAL2000.AT for krbtgt/GLOBAL2000.AT at GLOBAL2000.AT, KDC has no suppor
> t for encryption type
> Apr 01 15:53:54 kerberos1 krb5kdc[15317](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.42.42: ISSUE: authtime 1270130014, etypes {rep=16 tkt=16 ses=16}, joerg at GLOBAL2000.AT for krbtgt/GLOBAL2000.AT at G
> LOBAL2000.AT
>
> And klist as user gives:
> ...
> Default principal: joerg at GLOBAL2000.AT
>
> Valid starting     Expires            Service principal
> 04/01/10 15:53:34  04/02/10 01:53:34  krbtgt/GLOBAL2000.AT at GLOBAL2000.AT
> 	renew until 04/01/10 15:53:34
> 04/01/10 15:53:54  04/02/10 01:53:34  HTTP/cups.g2@
> 	renew until 04/01/10 15:53:34
> 04/01/10 15:53:54  04/02/10 01:53:34  HTTP/cups.g2 at GLOBAL2000.AT
> 	renew until 04/01/10 15:53:34
>
> The BAD_ENCRYPTION_TYPE seems to be the issue. I just don't know yet what to do with it.

Well, I found that the BAD_ENCRYPTION_TYPE actually is a problem with Debians default settings and happens quite a lot in my setup, so this is not the actual problem. So, I do get the HTTP/cups.g2 ticket, so this seems to be correct, but cups still screams those "No authentication data provided" and "Error accepting GSSAPI security context: Unspecified GSS failure.  Minor code may provide more information," errors. I think the second one acutally is that BAD_ENCRYPTION_TYPE.