Bad encryption type from gss-server

Carcassone France carcassone_fr at yahoo.com
Wed Jul 10 17:57:31 EDT 2002 

--- Sam Hartman <hartmans at mit.edu> wrote:
> It might be significantly easier to debug problems
> like this if you included the versions of Kerberos
you are using. 
> Better yet,
> preemptively upgrade to 1.2.5.
> 

The Solaris KDC is 1.2.5.  Upgraded the
gss-client/server to 1.2.5 and rebuilt on HP, one
version with static libraries and one with shared
libraries.

As suspected, the static version works but the shared
version got "Bad Encryption Type" error.  This means
the libraries on HP-UX B.11.11 are not compatible with
this version of KDC.

Is there some configuration I can fiddle on the KDC
without the need to downgrading it?

Is the bad encryption caused by the "Triple DES cbc
mode with HMAC/sha1" in the krbtgt?  Can I remove it
to force "DES cbc" instead?

kadmin.local:  modprinc -support_desmd5
krbtgt/MYREALM.COM at MYREALM.COM
kadmin.local:  getprinc krbtgt/MYREALM.COM at MYREALM.COM
Principal: krbtgt/MYREALM.COM at MYREALM.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Jul 09 10:57:45 PDT 2002
(root/admin at MYREALM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no
salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

> klist -e
Ticket cache: /tmp/krb5cc_108
Default principal: joe at MYREALM.COM

Valid starting     Expires            Service
principal
07/09/02 13:10:59  07/09/02 23:10:59 
krbtgt/MYREALM.COM at MYREALM.COM
        Etype (skey, tkt): DES cbc mode with CRC-32,
etype 16
07/09/02 13:11:51  07/09/02 23:10:59 
test/host1.myrealm.com at MYREALM.COM
        Etype (skey, tkt): DES cbc mode with CRC-32,
etype 16

# klist -k -e -t
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
----
-------------------------------------------------------------------------
  2 07/09/02 13:11:14
test/host1.myrealm.com at MYREALM.COM (DES cbc mode
with CRC-32)
   2 07/09/02 13:11:14
test/host1.myrealm.com at MYREALM.COM (etype 16)

/etc/krb5.conf:
[libdefaults]
        ticket_lifetime = 600
        default_realm = MYREALM.COM
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

More information about the Kerberos mailing list