Enctype Negotiation Problem

[Jeffrey Hutzelman]

On Wednesday, October 11, 2006 06:20:30 PM -0500 John Hascall 
<john at iastate.edu> wrote:

>
>
>> >> Except the issue here is he's getting a DES_CBC_MD4 session key when
>> >> he wants DES_CBC_CRC.  The "why" is likely in the code you're quoting
>> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support
>> >> it (since the single-des types are interchangeable).
>> >
>> >> I'd be curious to know how the resulting ticket is not "useful"; that
>> >> is,  what application is being used and what error results when
>> >> attempting to  use that ticket.
>> >
>> > Here is the error reported by the user:
>> >
>> > $ telnet -fax cerberus.ait.iastate.edu
>> > Encryption is verbose
>> > Trying 129.186.145.115...
>> > Connected to cerberus.ait.iastate.edu.
>> > Escape character is '^]'.
>> > [ Trying mutual KERBEROS5
>> > (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ] [ Kerberos V5 refuses
>> > authentication because telnetd:
>> >   krb5_rd_req failed: Encryption type not permitted ]
>> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ]
>> > [ Kerberos V5 refuses authentication because telnetd:
>> >   krb5_rd_req failed: Encryption type not permitted ]
>>
>> Is the telnetd also heimdal?  That sounds like either the machine
>> running  telnetd is configured to require des-cbc-crc, or its keytab
>> contains only a  des-cbc-crc key.  You can fix the latter problem by
>> using ktutil to copy  the keytab to a v4 srvtab and back.
>
> Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.

Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as 
interchangeable in a variety of cases, and Heimdal does not.  So if you 
have an MIT KDC and Heimdal application servers, then a principal with a 
des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.

-- Jeff