[29263] in Kerberos
Re: Kerberos V5 refuses authentication because Kerberos
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Fri Feb 15 09:38:57 2008
Message-ID: <4d569c330802150632r440f58c0nfad14b42e5bbe4f@mail.gmail.com>
Date: Fri, 15 Feb 2008 09:32:00 -0500
From: "Kevin Coffman" <kwc@citi.umich.edu>
To: "Victor Sudakov" <vas@mpeks.no-spam-here.tomsk.su>
In-Reply-To: <fp38ph$f8i$1@relay.tomsk.ru>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Feb 15, 2008 at 12:43 AM, Victor Sudakov
<vas@mpeks.no-spam-here.tomsk.su> wrote:
> Steven Miller wrote:
> > >
> > > What could be the reason that I cannot telnet from
> > > FreeBSD to Solaris 10
> > > with the following error:
> > >
> > > Connected to oracle.sibptus.tomsk.ru.
> > > Escape character is '^]'.
> > > [ Trying mutual KERBEROS5
> > > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
> > > [ Kerberos V5 refuses authentication because
> > > Kerberos checksum verification failed: Bad
> > > encryption type ]
> > > [ Trying KERBEROS5
> > > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
> > > [ Kerberos V5 refuses authentication because
> > > Kerberos checksum verification failed: Bad
> > > encryption type ]
> > > Password:
> > I believe that solaris (as as solaris 9) only supports
> > des-cbc-crc encrypion.
>
> Actually, there *is* a des-cbc-crc key in the keytab, why wouldn't it just
> use it?
>
> # klist -e -k /etc/krb5/krb5.keytab
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- -----------------------------------------------------------------------
> 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (DES cbc mode with CRC-32)
> 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (etype 2)
> 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (DES cbc mode with RSA-MD5)
> 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (Triple DES cbc mode with HMAC/sha1)
probably because your client is getting a Triple DES service ticket
from the KDC, since that would be the strongest encryption type [that
it thinks the service supports]. If the Solaris machine can only do
DES, then re-issue the keytab with only a DES key:
ktadd -e des-cbc-crc:normal ost/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU
K.C.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
