Bad encryption type from gss-server

carcassone_fr@yahoo.com carcassone_fr at yahoo.com
Wed Jul 10 17:56:04 EDT 2002 

hartmans at mit.edu (Sam Hartman) wrote in message news:<tslwus3mtan.fsf at konishi-polis.mit.edu>...
> It might be significantly easier to debug problems like this if you
> included the versions of Kerberos you are using.  Better yet,
> preemptively upgrade to 1.2.5.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

The Solaris KDC is 1.2.5.  Upgraded the gss-client/server to 1.2.5 and
rebuilt on HP, one version with static libraries and one with shared
libraries.

As expected, the static version works but the shared version got "Bad
Encryption Type" error.  This means the libraries on HP-UX B.11.11 are
not compatible with this version of KDC.

Is there some configuration I can fiddle on the KDC without the need
to downgrading it?

Is the bad encryption caused by the "Triple DES cbc mode with
HMAC/sha1" in the krbtgt?  Can I remove it to force "DES cbc" instead?

kadmin.local:  modprinc -support_desmd5 krbtgt/MYREALM.COM at MYREALM.COM
kadmin.local:  getprinc krbtgt/MYREALM.COM at MYREALM.COM
Principal: krbtgt/MYREALM.COM at MYREALM.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Jul 09 10:57:45 PDT 2002 (root/admin at MYREALM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

> klist -e
Ticket cache: /tmp/krb5cc_108
Default principal: joe at MYREALM.COM

Valid starting     Expires            Service principal
07/09/02 13:10:59  07/09/02 23:10:59  krbtgt/MYREALM.COM at MYREALM.COM
        Etype (skey, tkt): DES cbc mode with CRC-32, etype 16
07/09/02 13:11:51  07/09/02 23:10:59 
test/host1.myrealm.com at MYREALM.COM
        Etype (skey, tkt): DES cbc mode with CRC-32, etype 16

# klist -k -e -t
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -------------------------------------------------------------------------
  2 07/09/02 13:11:14 test/host1.myrealm.com at MYREALM.COM (DES cbc mode
with CRC-32)
   2 07/09/02 13:11:14 test/host1.myrealm.com at MYREALM.COM (etype 16)

/etc/krb5.conf:
[libdefaults]
        ticket_lifetime = 600
        default_realm = MYREALM.COM
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc

More information about the Kerberos mailing list