Enctype Negotiation Problem
John Hascall
john at iastate.edu
Wed Oct 11 19:20:30 EDT 2006
> >> Except the issue here is he's getting a DES_CBC_MD4 session key when he
> >> wants DES_CBC_CRC. The "why" is likely in the code you're quoting -
> >> DES_CBC_MD4 is a "better" enctype, and both sides appear to support it
> >> (since the single-des types are interchangeable).
> >
> >> I'd be curious to know how the resulting ticket is not "useful"; that
> >> is, what application is being used and what error results when
> >> attempting to use that ticket.
> >
> > Here is the error reported by the user:
> >
> > $ telnet -fax cerberus.ait.iastate.edu
> > Encryption is verbose
> > Trying 129.186.145.115...
> > Connected to cerberus.ait.iastate.edu.
> > Escape character is '^]'.
> > [ Trying mutual KERBEROS5 (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ]
> > [ Kerberos V5 refuses authentication because telnetd:
> > krb5_rd_req failed: Encryption type not permitted ]
> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ]
> > [ Kerberos V5 refuses authentication because telnetd:
> > krb5_rd_req failed: Encryption type not permitted ]
>
> Is the telnetd also heimdal? That sounds like either the machine running
> telnetd is configured to require des-cbc-crc, or its keytab contains only a
> des-cbc-crc key. You can fix the latter problem by using ktutil to copy
> the keytab to a v4 srvtab and back.
Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.
John
More information about the Kerberos
mailing list