Solution:
Edit the Kerberos configuration file (for me it's /etc/krb5.conf), and add this line in the [libdefaults] section:allow_weak_crypto = true
Details:
More of the same... (see my posts on Berkeley DB) I compiled the latest version of Heimdal Kerberos the other day (it's the recommended flavor of Kerberos to use with OpenLDAP), and after getting everything set up, I would get these errors when trying to run LDAP searches:SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (encryption type 2 not supportedt))
(sometimes it also said
encryption type 1 not supportedt
, again with the t on the end of supported)My first thought was maybe I didn't have a valid Kerberos ticket, but when running kinit, I would get this:
kinit: krb5_get_init_creds: BAD_ENCRYPTION_TYPE"
Google searches on those terms didn't get me far, but after looking through the Heimdal documentation, I realized they deprecated support for DES encryption in Heimdal 1.3. The solution I discovered for enabling it again is posted above.
Et voila! Back in business.
More information: DES will die in Heimdal 1.3
Perfect, thanks!!
ReplyDelete