HELP! Linux KDC error with des-cbc-md5 etype client

Khosrova, Eliza Eliza.Khosrova at
Wed Oct 25 12:21:58 EDT 2006


We are running an MIT Kerberos V5 KDC, installed using the package:
krb5-server - 1.4.3-4.1.i386.

We have a Kerberos client application that runs under Windows.  The
client application can only support des-cbc-md5.  When the client app
sends AS-REQ using only supported etype: des-cbc-md5, the KDC responds

It seems like our Linux KDC by default also needs (des-cbc-crc) even
though we only listed des-cbc-md5 in KDC configuration file.  The reason
is that when we try to authenticate locally on Linux box using the same
user we tried from our Kerberos client application, the KDC log file
shows the generated AS-REP w/ etypes (rep=3 tkt=3 ses=1) as shown below
so it looks like session or whatever ses is created using etype=1:

Oct 24 17:27:31 krb5kdc[3116](info): AS_REQ (2 etypes {3
1}) ISSUE: authtime 1161736051, etypes {rep=3 tkt=3
ses=1}, test at SERVER.COM for krbtgt/EA49.COM at EA49.COM

If we change krb5.conf on Linux box for the test user to only list etype
of des-cbc-md5 and remove des-cbc-crc, then we can no longer login even
locally from Linux box.  So, it seems like KDC requires the client to
support etype of 1 which is des-cbc-crc.  

Any suggestions on how to make or force our Linux KDC to only use
des-cbc-md5 for everything and not use des-cbc-crc?

Thanks in advance for your prompt response.

More information about the Kerberos mailing list