CANT_FIND_CLIENT_KEY
Matt Zagrabelny
mzagrabe at d.umn.edu
Tue Mar 30 16:58:14 EDT 2010
Greetings,
I sent an email to the list a week regarding issues with a cisco switch
in an MIT Kerberos realm.
Through some trial-and-error I am currently getting the following error
in the kdc.log:
AS_REQ (1 etypes {1}) 10.25.1.14: CANT_FIND_CLIENT_KEY:
mzagrabe at D.UMN.EDU for krbtgt/D.UMN.EDU at D.UMN.EDU, KDC has no support
for encryption type
I assume the encryption type is (1) des-cbc-crc.
How do I make the KDC have support for the encryption type? It looks
like I already have it:
% cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
D.UMN.EDU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des3-cbc-md5:normal des-cbc-crc:normal des:normal
des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
That is, des-cbc-crc:normal is in the above list of
"supported_enctypes".
Thanks for any help,
--
Matt Zagrabelny - mzagrabe at d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF C899 07E2 BFA8 42A0 0942
He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100330/784c9077/attachment.bin
More information about the Kerberos
mailing list