keytab created on MIT KDC with des3 enctype does not work with heimdal

Arati Desai artipdesai at
Thu Jun 8 08:38:02 EDT 2006

Hi All,

I have a kerb5 setup with MIT KDC and heimdal client
APIs to perform kerb5 authentication. I have created
principals without specifying any keysaltlist. A
keytab is created by running ktadd. klist shows-

-bash2-2.05b$ sudo ktutil -k
/tmp/ list

Vno  Type           Principal
  5  des3-cbc-sha1  imap/ at DOMAIN.COM
  5  des-cbc-crc    imap/ at DOMAIN.COM

(Note: I have replace domain with actual domain name)

With this keytab, heimdal client gives authentication
failure. When I debugged the code I found that it is
failing in verify_checksum function.

Authentication is successful, if I specify -e
DES-CBC-CRC:normal to ktadd so that the keytab
contains just one enctype- des-cbc-crc. 

It does not seem to be a problem with multiple
enctypes, because creating keytab with just
des3-cbc-sha1 also does not solve the problem.

Is there a known problem with des3 enctype in heimdal
ot interoperability between MIT and heimdal for des3

Thanks in advance,

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the Kerberos mailing list