Interop/Compat: 3DES used in AS-REP despite no client support

Matt mwreynolds at gmail.com
Wed Dec 7 12:48:29 EST 2005


Thank you for that info.

I was able to solve the immediate problem by adding permitted_enctypes
= rc4-hmac des-cbc-md5 des-cbc-crc to the [libdefaults] section of
kerb5.conf. This caused DES to be used for all enc-parts and did allow
the Windows KDC to issue a service ticket. This causes another problem,
though, which is that I am unable to restart kadmind with the error: No
matching key in entry having a permitted enctype

Based on your statements, it would seem that a superior solution would
be to ensure that for all the principals I create (user principals and
the cross realm krbtgt/A.A at X.X) only RC4 and DES keys should be created
and stored.

How can I accompish this? I would be happy to recreate the principals
after changing a setting, but I can't seem to find this configuration.

With no enctype restrictions set anywhere, I would think that every MIT
supported key type would be created and stored upon principal creation
(ank <principal> within kadmin). But at present it seems that on my
system only 3DES and DES keys are created, never RC4. My indications
that this is happening are 1) If I create a principal (while no enctype
restrictions are in place), and then try to authenticate that principal
on a clinet which requests DES and RC4, DES (and 3DES for the first enc
part) is always used in the response, never RC4. Also, if I use ktadd
to export a keytab for that principal, only 3DES and DES keys are
exported, never RC4. This leads me to believe that RC4 keys are never
generated.

Given that this is a Windows interop scenario, I think that I would
want the MIT KDC and/or kadmin to create and store RC4 and DES (and no
other) keys for all principals that I create. So far in my fumbling
inexperience I have not been able to accomplish this. I tried to
accomplish this by setting the supported_enctypes for the realm in
kdc.conf to rc4-hmac des-cbc-md5:normal des-cbc-crc:normal but after
restarting and creating a new principal, it still appears to store only
3DES and DES keys.

Help!

Thanks

-Matt



More information about the Kerberos mailing list