[Deploying Sakai] Kerberos Provider and JDK 6 Update 26

Martin B. Smith smithmb at ufl.edu
Thu Jul 21 07:21:35 PDT 2011

Hi Matt,

On 07/21/2011 10:14 AM, Matthew Buckett wrote:
> Do you mean remove them from the KDC?
> I'd been trying with a kerberos config of:
> [libdefaults]
>     default_realm = OX.AC.UK
>     default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>     default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
>     permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> but having no success.

Yes, I mean you'll have to remove some of the enctypes that Java is 
trying to use with an incorrect salt. Your settings above look 
reasonable, but have you tried running wireshark and looking at the 
packets exchanged when this fails? That should give you a hint as to 
what enctype is triggering the broken behavior from Java.

Note that once you change the settings above, you will need to dump/load 
your KDB with the new settings or change the password for each affected 

>> >  The Oracle folks tell me it will be fixed in 6u28, which should be released
>> >  in October.
> :-)  Thanks for the update. Is there a Oracle bug ID that you know of?

I've asked for a bug ID from the Oracle developer I've been working 
with, but I haven't heard back yet. I had originally submitted a bug 
when I first started working on this issue, but I don't think it ever 
got published on the Sun bug site.

Hope this helps,
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5129 bytes
Desc: S/MIME Cryptographic Signature
Url : http://collab.sakaiproject.org/pipermail/production/attachments/20110721/5eefb468/attachment.bin 

More information about the production mailing list