gssapi-with-mic and Win2K KDC?

[Douglas E. Engert]

Aaron Grewell wrote:
> 
> Upgrading to the 3.8.x versions of OpenSSH appears to have broken
> support for Win2K KDC's.  Win2K supports gssapi just fine, but the new
> gssapi-with-mic does not appear to work.  

It works for us. We have used W2000 ADs, and they are now all W2003 ADs. 
OpenSSH-3.8p1. 

What type of errors are you seeing?

> I was able to use the old
> 3.6.x versions with Kerberos authentication, and the newer 3.7.x
> versions with gssapi authentication, but 3.8.x does not seem to work at
> all.  The mitm patch provided for 3.8p1 does work, but it seems unlikely
> it will be maintained over the long term.  What are the odds the gssapi
> functionality might be retained for compatibility purposes? 

The comunity should be making an effort to move towards geting rid
of the gssapi, and move to the gssapi-with-mic with all due haste.  

> Even if it
> were a default-off compile-time option that would work for me.  The
> soonest MS would be likely to update their gssapi support would be
> Longhorn Server in the 2006-2007 timeframe (if at all) so the
> interoperability issues with their KDC's are likely to continue for some
> time to come.
> 
> Thanks much,
> Aaron Grewell
> Network Administrator
> University of Washington Bothell
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444