Enctype Negotiation Problem
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Oct 11 19:17:21 EDT 2006
On Wednesday, October 11, 2006 06:06:08 PM -0500 John Hascall
<john at iastate.edu> wrote:
>
>> Except the issue here is he's getting a DES_CBC_MD4 session key when he
>> wants DES_CBC_CRC. The "why" is likely in the code you're quoting -
>> DES_CBC_MD4 is a "better" enctype, and both sides appear to support it
>> (since the single-des types are interchangeable).
>
>> I'd be curious to know how the resulting ticket is not "useful"; that
>> is, what application is being used and what error results when
>> attempting to use that ticket.
>
> Here is the error reported by the user:
>
> $ telnet -fax cerberus.ait.iastate.edu
> Encryption is verbose
> Trying 129.186.145.115...
> Connected to cerberus.ait.iastate.edu.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5 (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ]
> [ Kerberos V5 refuses authentication because telnetd:
> krb5_rd_req failed: Encryption type not permitted ]
> [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ]
> [ Kerberos V5 refuses authentication because telnetd:
> krb5_rd_req failed: Encryption type not permitted ]
Is the telnetd also heimdal? That sounds like either the machine running
telnetd is configured to require des-cbc-crc, or its keytab contains only a
des-cbc-crc key. You can fix the latter problem by using ktutil to copy
the keytab to a v4 srvtab and back.
-- Jeff
More information about the Kerberos
mailing list