[32724] in Kerberos
Re: e-type / kvno processing in 1.8
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 27 15:48:01 2010
From: Russ Allbery <rra@stanford.edu>
To: Tim Metz <tpmetz@ucdavis.edu>
In-Reply-To: <4CA0EA72.8090503@ucdavis.edu> (Tim Metz's message of "Mon, 27
Sep 2010 12:03:14 -0700")
Date: Mon, 27 Sep 2010 12:47:55 -0700
Message-ID: <87d3rzufx0.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Tim Metz <tpmetz@ucdavis.edu> writes:
> We have in our MIT KDC some legacy principals that were imported from
> another commercial Kerberos product. For kvno=0, they have an unknown
> e-type. For kvno=1, they have an e-type "DES cbc mode with CRC-32,
> Version 4".
> Under MIT versions 1.6.3 and 1.7.1, running kinit against these
> principals is functional.
> Starting with MIT version 1.8 however, using the same import process for
> the principals, kinit fails as follows:
> kinit -k -t /etc/krb5.keytab host/hostname.example.com
> kinit(v5): KDC has no support for encryption type while getting initial
> credentials
> At first pass, the problem at least has the appearance that it could be
> related to kvno processing code. More specifically, in versions prior
> to 1.8 if a kvno=0 contained an unsupported encryption type, processing
> would continue to kvno=1 and succeed. Starting with version 1.8, it
> looks like if kvno=0 has an unsupported e-type, processing fails, and
> does not continue on to consult kvno=1.
I suspect you have a much simpler problem, namely that 1.8 disabled
support for DES by default. Try adding:
allow_weak_crypto = true
to the [libdefaults] section of krb5.conf for your KDCs and see if that
changes matters.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
