Ticket enctype question

Russ Allbery rra at stanford.edu
Thu Aug 31 12:20:02 EDT 2006 

Hello all,

We're in the process of enabling additional enctypes in a K5 realm that
previously only had DES keys.  Our kdc.conf file now reads (in part):

master_key_type    = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des3-cbc-sha1:normal aes256-cts:normal

I've rekeyed the krbtgt key of our realm (with -keepold) to add the new
enctypes, and my user principal has had its password changed to acquire
new enctypes:

Principal: krbtgt/stanford.edu at stanford.edu
Expiration date: [never]
Last password change: Thu Aug 31 06:05:13 PDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Aug 31 06:05:13 PDT 2006 (rra/admin at stanford.edu)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

Principal: rra at stanford.edu
Expiration date: [never]
Last password change: Tue Mar 28 11:05:10 PST 2006
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Aug 10 16:27:53 PDT 2006 (rra/admin at stanford.edu)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 10, DES cbc mode with CRC-32, no salt
Key: vno 10, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 10, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: standard

However, when I run klist -5e after running kinit, I see:

Ticket cache: FILE:/tmp/krb5cc_1000_TsmYeM
Default principal: rra at stanford.edu

Valid starting     Expires            Service principal
08/31/06 09:14:36  09/01/06 10:14:33  krbtgt/stanford.edu at stanford.edu
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, DES cbc mode with CRC-32 

Why is the tkt encrypted with des-cbc-crc?  Is there some other key that
also needs to be rekeyed, or some configuration error somewhere?

The client is not setting any enctype restrictions; the complete
[libdefaults] section on the client is:

    default_realm         = stanford.edu
    krb4_config           = /etc/krb.conf
    krb4_realms           = /etc/krb.realms

The relevant KDC log messages are:

Aug 31 09:14:20 kerberos3 krb5kdc[27556]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 171.64.19.147: NEEDED_PREAUTH: rra at stanford.edu for krbtgt/stanford.edu at stanford.edu, Additional pre-authentication required
Aug 31 09:14:24 kerberos3 krb5kdc[27556]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 171.64.19.147: ISSUE: authtime 1157040864, etypes {rep=18 tkt=1 ses=18}, rra at stanford.edu for krbtgt/stanford.edu at stanford.edu

That tkt=1 is the problem.

The master key (K/M at stanford.edu) is des-cbc-crc, of course, but my
understanding was that that was not supposed to affect the bits on the
wire.  Is my understanding incorrect?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list