Encryption Type wrong

[Jan Sanders]

Hello,

I am having a little problem here. I am running a KDC on Solaris and a 
number of clients on GNU/Linux. For both the KDC and the 
Kerberos-Clients I have configured them to use only the 
dec-crc-cbc:default encryption type.
When creating a principal on the server using addprinc wo/-e 
des-cbc-crc:default the principal is created with 4  keys. getprinc reveals:

Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 21, ArcFour with HMAC/md5, no salt
Key: vno 21, DES cbc mode with RSA-MD5, no salt

If I use addprinc -e des-cbc-crc:normal then I get the desired
Key: vno 22, DES cbc mode with CRC-32, no salt

The same goes for cpw.

This I could live with since the group of users having admin privileges 
is very small.

But the ordinary user once in a while wants to change the password and 
will use kpasswd. kpasswd does not have the ability to choose the 
encryption type and then a users ends up not having a key with 
des-cbc-crc:normal. Unfortunately GNU/Linux kinit breaks if the KDC does 
not have a key with the des-cbc-crc:normal encryption type in store.


Any help appreciated

cheers

Jan Sanders

The config files following.

The krb5.conf on the GNU/Linux client:
[libdefaults]
        default_realm = MY.DOMAIN

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        MY.DOMAIN = {
                kdc = kdc.my.domain
                admin_server = kdc.my.domain
        }

[domain_realm]
        my.domain = MY.DOMAIN
        .my.domain = MY.DOMAIN

[login]
        krb4_convert = true
        krb4_get_tickets = false




The kdc.conf on the Solaris machine:

[libdefaults]
        default_realm = MY.DOMAIN
        default_keytab_name = /etc/krb5/krb5.keytab

[kdcdefaults]
        kdc_ports = 88,750

[realms]
        MY.DOMAIN = {
                profile = /etc/krb5/krb5.conf
                database_name = /var/krb5/principal
                admin_keytab = /etc/krb5/kadm5.keytab
                acl_file = /etc/krb5/kadm5.acl
                kadmind_port = 749
                max_life = 8h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                default_principal_flags = +preauth
                supported_enctypes = des-cbc-crc:normal
        }