[29266] in Kerberos
Re: Kerberos V5 refuses authentication because
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Sat Feb 16 09:00:39 2008
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Sat, 16 Feb 2008 13:37:39 +0000 (UTC)
Message-ID: <fp6ov3$2l34$1@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: "Kevin Coffman" <kwc@citi.umich.edu>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Kevin Coffman wrote:
> > > > What could be the reason that I cannot telnet from
> > > > FreeBSD to Solaris 10
> > > > with the following error:
> > > >
> > > > Connected to oracle.sibptus.tomsk.ru.
> > > > Escape character is '^]'.
> > > > [ Trying mutual KERBEROS5
> > > > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
> > > > [ Kerberos V5 refuses authentication because
> > > > Kerberos checksum verification failed: Bad
> > > > encryption type ]
> > > > [ Trying KERBEROS5
> > > > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
> > > > [ Kerberos V5 refuses authentication because
> > > > Kerberos checksum verification failed: Bad
> > > > encryption type ]
> > > > Password:
> > > I believe that solaris (as as solaris 9) only supports
> > > des-cbc-crc encrypion.
> >
> > Actually, there *is* a des-cbc-crc key in the keytab, why wouldn't it just
> > use it?
> >
> > # klist -e -k /etc/krb5/krb5.keytab
> > Keytab name: FILE:/etc/krb5/krb5.keytab
> > KVNO Principal
> > ---- -----------------------------------------------------------------------
> > 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (DES cbc mode with CRC-32)
> > 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (etype 2)
> > 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (DES cbc mode with RSA-MD5)
> > 1 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (Triple DES cbc mode with HMAC/sha1)
> probably because your client is getting a Triple DES service ticket
> from the KDC, since that would be the strongest encryption type [that
> it thinks the service supports]. If the Solaris machine can only do
> DES, then re-issue the keytab with only a DES key:
> ktadd -e des-cbc-crc:normal ost/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU
OK, I did
del_enctype host/oracle.sibptus.tomsk.ru des-cbc-md4 des-cbc-md5 des3-cbc-sha1
in kadmin and transferred the keytab anew. Now I have:
# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU (DES cbc mode with CRC-32)
#
But the problem remained. Any more ideas?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
