password incorrect but it's not, works fine with Solaris + MIT?

Tue Dec 11 17:15:42 EST 2007

> Date:    Tue, 11 Dec 2007 15:30:30 EST
> To:      kerberos at mit.edu
> From:    Jeff Blaine <jblaine at kickflop.net>
> Subject: Re: password incorrect but it's not, works fine with Solaris + MIT?
> 
> Thanks for the replies, Steve and Marcus.
> 
> I have no enctype settings specified in either my kdc.conf
> or krb5.conf on the client(s) as I was under the impression
> that was the best practice.
> 
> Steve, from what I understand, you did not require all users
> to change passwords (re-key) in order for things to work,
> correct?
> 
> I've tried adding explicit enctype settings in both kdc.conf
> and krb5.conf (a list including the defaults according to
> the MIT krb5 docs + des-cbc-crc:afs3) and that did not seem
> to help any.
> 
> I also tested this on a RHELv4 box (instead of the RHELv3
> box mentioned in the original message to the list) and got
> the same error.
> 
> Jeff Blaine wrote:
> > What am I doing wrong this time?
> > 
> >   -bash-2.05b# /usr/kerberos/bin/kinit jblaine at RCF.FOO.COM
> >   Password for jblaine at RCF.FOO.COM:
> >   kinit(v5): Password incorrect while getting initial credentials
> >   -bash-2.05b#
> > 
> >   -bash-2.05b# rpm -qa | grep krb5
> >   krb5-workstation-1.2.7-38
> >   krb5-libs-1.2.7-38
> >   pam_krb5-1.70-1
> >   krb5-devel-1.2.7-38
> >   -bash-2.05b# uname -a
> >   Linux blackbird-vm2 2.4.21-53.EL #1 Wed Nov 14 04:02:23 EST 2007
> >   i686 i686 i386 GNU/Linux
> >   -bash-2.05b#
> > 
> > However, /usr/rcf-krb5/bin/kinit jblaine at RCF.FOO.COM works
> > fine on a Solaris 9 box (which has our MIT krb5 build).
> > 
> > BOTH hosts have the same exact /etc/krb5.conf
> > 
> > krb5kdc says:
> > 
> >   Dec 07 15:46:49 silmaril.foo.com krb5kdc[26865](info):
> >   AS_REQ (5 etypes {16 23 1 3 2}) 129.xx.xx.xx: ISSUE: authtime
> >   1197060409, etypes {rep=1 tkt=16 ses=16}, jblaine at RCF.FOO.COM
> >   for krbtgt/RCF.FOO.COM at RCF.FOO.COM
> > 
> > Principal looks like:
> > 
> >   kadmin:  getprinc jblaine
> >   Principal: jblaine at RCF.FOO.COM
> >   Expiration date: Wed Dec 30 19:00:00 EST 2037
> >   Last password change: [never]
> >   Password expiration date: [none]
> >   Maximum ticket life: 14 days 00:00:00
> >   Maximum renewable life: 7 days 00:00:00
> >   Last modified: Mon Oct 29 21:08:00 EDT 2007 (jblaine at RCF.FOO.COM)
> >   Last successful authentication: [never]
> >   Last failed authentication: [never]
> >   Failed password attempts: 0
> >   Number of keys: 1
> >   Key: vno 5, DES cbc mode with CRC-32, AFS version 3
> >   Attributes:
> >   Policy: [none]
> >   kadmin:

I was hoping you would try different salt types on the principal itself
(while leaving the enctype as des-cbc-crc).  Still, you appear to have
2 of 3 necessary conditions to manifest the bug described here:
	http://mailman.mit.edu/pipermail/krb5-bugs/2006-February/004246.html
in which case, this patch applied to the kdc may fix it:
	http://www.umich.edu/~mdw/krb5143-kdcetype.diff

I don't think you ever said what version of kerberos you had installed
on your server, so I don't know how much trouble you'll have patching that.
This patch was developed against MIT 1.4.3, but substantially the same
code (and presumably the same behavior) was still there as of 1.6.1.

				-Marcus Watts