Encryption key type order w. windows auth?

David Botsch dwb7 at ccmr.cornell.edu
Tue Jun 22 09:18:02 EDT 2004

Gotten around the problem by using the following keys in this order:

supported_enctypes = des3-cbc-sha1:normal des-cbc-md5:normal des-cbc-crc:afs3

Windows is happy, linux just works. Interestingly enough, kerb4 authenticated
login on the Macs broke for anyone that had changed their pw and had the above
key types. Had to enable kerb5 and all was well (had only seen this previously
on Mac when having multiple des-cbc-crc key/salt combos and afs3 wasn't the
first listed one -- Mac specficies a string to key type of afs for kerb4).

Also ran into problems trying to add other key/salt combos. For example, any
attempts to add des-cbc-crc:nomral, des-cbc-crc:afs3 AND des-cbc-md5:normal
seens to results in one of the 3 being ignored depending on the order these
keys are listed in kdc.conf ... have yet to get the kdc to not ignore any of
the non-exported arcfour types.

Yes, we are using 1.3.3 Kerberos from MIT.

On Tue, Jun 22, 2004 at 07:02:27AM -0400, Sam Hartman wrote:
> >>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at cmu.edu> writes:
>     Jeffrey> You should not depend on the "ordering" you're seeing
>     Jeffrey> here; logically, it's an unordered set.  If you have
>     Jeffrey> Windows users, they will need to not have AFS-salted
>     Jeffrey> keys.
> Last time I checked the keys in the kdb are very much an ordered set,
> or at least there is a distinguished key used for requests without
> preauthentication and a distinguished key used by the KDC for a
> principal as a server and our implementation selects these
> distinguished keys based on order.
> You have several options for fixing the problem:
> * Set the preauth_required attribute and make sure you have a 1.3.x KDC.
> * Order the keys so the afs3 keys and v4 salted keys come last.

David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7 at ccmr.cornell.edu

More information about the Kerberos mailing list