On 5/9/25 13:55, Orion Poplawski wrote: > On 5/9/25 07:21, Daniel Kobras wrote: >> Hi! >> >> Am 07.05.25 um 19:39 schrieb Orion Poplawski: >>> I tried adding this to the mac without any change: >>> >>> [libdefaults] >>> permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 >>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac >>> camellia128-cts-cmac >>> default_tgs_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 >>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac >>> camellia128-cts-cmac >> >> Those are options for MIT's libkrb5. Unless you're using a non-default stack >> on the mac, you probably want to use Heimdal's default_etypes, or the more >> specific default_as_etypes/default_tgs_etypes instead. > > I ended up slimming down to: > > permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > > but those are the option names from man krb5.conf on the mac. I should have trusted you :) - I finally came across this: https://services.dartmouth.edu/TDClient/1806/Portal/KB/ArticleDet?ID=89203 which has: default_etypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 and setting that does fix the skey encryption type. I'm still stuck with the non-renewable ticket that they mention as well, so it seems like GSSAPI auth from a mac is not very useful. Thank you very much for your help. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
