kadmin ktadd -e keysaltlist for des-cbc-md5

Tim Alsop Tim.Alsop at CyberSafe.Com
Tue Sep 12 17:58:20 EDT 2006 

Tom,

Using MIT krb5 1.5.1, I tried this :

kadmin.local:  addprinc -randkey test/princ at FLIK.LOCAL
WARNING: no policy specified for test/princ at FLIK.LOCAL; defaulting to no
policy
Principal "test/princ at FLIK.LOCAL" created.
kadmin.local:  ktadd -e DES-CBC-MD5:NORMAL test/princ
Entry for principal test/princ with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:

As you can see, this works fine, and I don't get any errors like you
did.

I then used CyberSafe client to test the principal in KDC is ok ?

I first requested a TGT from the MIT KDC :

# kinit talsop at FLIK.LOCAL
Password for talsop at FLIK.LOCAL: 
#

Then, using kinit -S I was able to get a service ticket with DES-CBC-MD5
(etype 3) session key using the principal just created. As you can see
below, this works :

# kinit -S test/princ at FLIK.LOCAL
# klist -e
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_0
       Cache Version: 0504
   Default Principal: talsop at FLIK.LOCAL

Valid From                    Expires                       Service
Principal
----------------------------  ----------------------------
-----------------
Tue 12 Sep 2006 22:52:19 BST  Wed 13 Sep 2006 06:52:19 BST
krbtgt/FLIK.LOCAL at FLIK.LOCAL
   Session Key EType: 23 (ARCFOUR-HMAC-MD5)
        Ticket EType: 23 (ARCFOUR-HMAC-MD5)
Tue 12 Sep 2006 22:52:25 BST  Wed 13 Sep 2006 06:52:19 BST
test/princ at FLIK.LOCAL
   Session Key EType:  1 (DES-CBC-CRC)
        Ticket EType:  3 (DES-CBC-MD5)
#

I hope this helps.

Regards,
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Tom Simons
Sent: 12 September 2006 22:18
To: kerberos at mit.edu
Subject: kadmin ktadd -e keysaltlist for des-cbc-md5

I'm trying to get a keytab with des-cbc-md5 encryption (no salt) from
our
kerberos 1.5 realm for a CyberSafe client. How do I specify the ktadmin
ktadd command's "-e keysaltlist" parameter?  I tried variations on
"ktadd -k
<filename> -e ENCTYPE_DES_CBC_MD5:NONE", but get the same error:

    kadmin:  ktadd -k host.TESTMIT.keytab -e ENCTYPE_DES_CBC_MD5:NOSALT
    ktadd: Invalid argument while parsing keysalts ENCTYPE_DES_CBC_MD5
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list