[32725] in Kerberos
Re: e-type / kvno processing in 1.8
daemon@ATHENA.MIT.EDU (Tim Metz)
Mon Sep 27 16:02:02 2010
Message-ID: <4CA0F834.4080004@ucdavis.edu>
Date: Mon, 27 Sep 2010 13:01:56 -0700
From: Tim Metz <tpmetz@ucdavis.edu>
MIME-Version: 1.0
To: Russ Allbery <rra@stanford.edu>, kerberos@mit.edu
In-Reply-To: <87d3rzufx0.fsf@windlord.stanford.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery wrote:
> Tim Metz <tpmetz@ucdavis.edu> writes:
>
>
>> We have in our MIT KDC some legacy principals that were imported from
>> another commercial Kerberos product. For kvno=0, they have an unknown
>> e-type. For kvno=1, they have an e-type "DES cbc mode with CRC-32,
>> Version 4".
>>
>
>
>> Under MIT versions 1.6.3 and 1.7.1, running kinit against these
>> principals is functional.
>>
>
>
>> Starting with MIT version 1.8 however, using the same import process for
>> the principals, kinit fails as follows:
>>
>
>
>> kinit -k -t /etc/krb5.keytab host/hostname.example.com
>> kinit(v5): KDC has no support for encryption type while getting initial
>> credentials
>>
>
>
>> At first pass, the problem at least has the appearance that it could be
>> related to kvno processing code. More specifically, in versions prior
>> to 1.8 if a kvno=0 contained an unsupported encryption type, processing
>> would continue to kvno=1 and succeed. Starting with version 1.8, it
>> looks like if kvno=0 has an unsupported e-type, processing fails, and
>> does not continue on to consult kvno=1.
>>
>
> I suspect you have a much simpler problem, namely that 1.8 disabled
> support for DES by default. Try adding:
>
> allow_weak_crypto = true
>
> to the [libdefaults] section of krb5.conf for your KDCs and see if that
> changes matters.
>
>
Thanks, Russ. I intended to include, and realized after sending that I
hadn't, the information that we have "allow_weak_crypto = true" in the
[libdefaults] section of our kdc.conf and krb5.conf. We can create
principals with only "DES cbc mode with CRC-32", and successfully kinit
against them, so I believe the KDC is supporting weak e-types.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
