Problem with V4 keys in krb5-1.2.5

Mike Friedman mikef at ack.Berkeley.EDU
Mon Jun 24 17:49:40 EDT 2002


On Mon Jun 24 14:20:14 2002, Sam Hartman said:

> I have reproduced this problem.
> 
> Can you confirm that:
> 
> * Things work with your 1.2.1 KDC?
> 
> * IT doesn't matter what version of your clients you are using?

Sam,

Since I sent my note, I did some further investigation.  Here's what I found:

If my client's krb5.conf file contained the following:

    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

then the problem occurred.  So, first, I just reversed the order of the
enctypes in both statements above (i.e, I put 'des-cbc-crc' first).  Then,
I was able to get a TGT successfully (with kinit) for a principal with an
old V4 key.

However, kadmin would still fail to authenticate an admin principal that had
an old V4 key.  So then I just removed the 'des3-hmac-sha1' completely from
krb5.conf.  (I'm not using des3 keys anyway in either my V1.2.1 or V1.2.5
KDC).  This allowed kadmin to work as well.

The kadmin and kinit clients that I used were both V1.2.1 and V1.2.5.  Whether
the problem occurred (with my V1.2.5 KDC) seems to depend entirely on the
contents of the client's krb5.conf as described above.

The krb5.conf containing the des3 enctype entries doesn't cause a problem with
my V1.2.1 KDC.  I tested with a remote client using both versions of
krb5.conf;  the 'bad' version fails with the V1.2.5 KDC but works with my
V1.2.1 KDC.  The 'good' version (with the 'des3' entries removed) works with
both KDCs.  The database on the V1.2.5 KDC is just a copy of the db on V1.2.1.

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------



More information about the Kerberos mailing list