Problem to get TGT by des-cbc-md5 encrytype from Krb5-1.5.4 KDC on suse 10.

Leo Li liyilei1979 at
Wed Oct 31 01:37:05 EDT 2007

Hi, all
     I have a problem to get TGT while des-cbc-md5 enctypes from MIT
Krb5-1.5.4 KDC installed on suse 10.
     Here is the kdc.conf:

kdc_ports = 88

database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
                supported_enctypes = des3-hmac-sha1:normal
arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

And the krb5.conf has :

default_realm = EXAMPLE.COM <>
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = des-cbc-md5

  kdc =
  admin_server =
  default_domain =

[domain_realm] = EXAMPLE.COM <> = EXAMPLE.COM <>

And then if I run
       kinit test at EXAMPLE.COM
It complains:
       kinit(v5): KDC has no support for encryption type while getting
initial credentials

I also have added the des-cbc-md5 enctype as a keytab for test at EXAMPLE.COMby:
       kadmin.local:  addprinc -e "des-cbc-md5:normal" test at EXAMPLE.COM
And the getprinc also shows:
       kadmin.local:  getprinc test at EXAMPLE.COM
       Number of keys: 1
       Key: vno 1, DES cbc mode with RSA-MD5, no salt
       Policy: [none]

Besides, seems other encryption types are all supported, for example, the

So could somebody help to spot what is the problem?

Thanks in advance.

Leo Li
China Software Development Lab, IBM

More information about the Kerberos mailing list