This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [ITP] heimdal
On Mar 23 14:43, Yaakov (Cygwin/X) wrote:
> On 2012-03-23 04:04, Corinna Vinschen wrote:
> >On Mar 22 21:03, Yaakov (Cygwin/X) wrote:
> >>So while I suspect we're going to get a lot of questions on the
> >>list, as this is working properly, I'm going to go ahead and upload
> >>this with the fixed localstatedir.
> >
> >Thank you, that sounds like a good idea. However, I didn't have a
> >problem with kinit. I could also create a ticket, but ssh -K didn't
> >work and only printed this confusing error message "unknown mech-code
> >2529639054 ..."
> >
> >Perhaps I did something invalid? My KDC is a 2008 AD DC. I tried to
> >ssh to my Linux box which only connection to AD is the kr5.conf file for
> >Samba. Sure, I changed the sshd_config file to allow GSSAPI and
> >Kerberos, but... is there anything else to do to get that working, maybe?
>
> Did you create a /etc/krb5.keytab? I think this needs to be done
> with ktpass:
>
> http://technet.microsoft.com/en-us/library/cc753771%28v=ws.10%29.aspx
Thanks for the hint. With this, I also found a full receipt
http://technet.microsoft.com/en-us/library/bb742433.aspx
It seems to be a step in the right direction but it still didn't work
for me. I created a file fir the Linux machine with the "/crypt all"
option, which results in a keytab file with 5 encryptions: DES-CBC-CRC,
DES-CBC-MD5, RC4-HMAC, AES256-SHA1, and AES128-SHA1. Then I tried
kinit with all support encryptions per the krb5.conf man page. For
some reason the AES encryptions didn't work at all. When I tried to
set default_etypes = aes256-cts-hmac-sha1-96 on the Cygwin machine,
kinit failed with "unsupported encryption". In all other cases I still
got the ssh log output:
debug1: Miscellaneous failure (see text)
unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Miscellaneous failure (see text)
Generic error (see e-text)
Oh well, I guess I just give up. You proved that it works and I'm
trying a pretty unlikely combination.
> I'll try to get back to this after the weekend.
Only if you like. Otherwise, let's just go ahead.
Thanks for your help,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat