Encryption Type wrong

Jan Sanders jsanders at TechFak.Uni-Bielefeld.DE
Thu May 8 06:07:19 EDT 2008


Hi,

noone has any ideas? Maybe s.o. knows where I  can find an appropriate 
forum/list on the Sun Microsystems site. I was unable to find one. I 
only found blogs on Kerberos topics.

cheers

Jan Sanders

Jan Sanders wrote:
> Hello,
>
> I am having a little problem here. I am running a KDC on Solaris and a 
> number of clients on GNU/Linux. For both the KDC and the 
> Kerberos-Clients I have configured them to use only the 
> dec-crc-cbc:default encryption type.
> When creating a principal on the server using addprinc wo/-e 
> des-cbc-crc:default the principal is created with 4  keys. getprinc reveals:
>
> Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
> Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 21, ArcFour with HMAC/md5, no salt
> Key: vno 21, DES cbc mode with RSA-MD5, no salt
>
> If I use addprinc -e des-cbc-crc:normal then I get the desired
> Key: vno 22, DES cbc mode with CRC-32, no salt
>
> The same goes for cpw.
>
> This I could live with since the group of users having admin privileges 
> is very small.
>
> But the ordinary user once in a while wants to change the password and 
> will use kpasswd. kpasswd does not have the ability to choose the 
> encryption type and then a users ends up not having a key with 
> des-cbc-crc:normal. Unfortunately GNU/Linux kinit breaks if the KDC does 
> not have a key with the des-cbc-crc:normal encryption type in store.
>
>
> Any help appreciated
>
> cheers
>
> Jan Sanders
>
> The config files following.
>
> The krb5.conf on the GNU/Linux client:
> [libdefaults]
>         default_realm = MY.DOMAIN
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented.  In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
>
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         MY.DOMAIN = {
>                 kdc = kdc.my.domain
>                 admin_server = kdc.my.domain
>         }
>
> [domain_realm]
>         my.domain = MY.DOMAIN
>         .my.domain = MY.DOMAIN
>
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>
>
>
>
> The kdc.conf on the Solaris machine:
>
> [libdefaults]
>         default_realm = MY.DOMAIN
>         default_keytab_name = /etc/krb5/krb5.keytab
>
> [kdcdefaults]
>         kdc_ports = 88,750
>
> [realms]
>         MY.DOMAIN = {
>                 profile = /etc/krb5/krb5.conf
>                 database_name = /var/krb5/principal
>                 admin_keytab = /etc/krb5/kadm5.keytab
>                 acl_file = /etc/krb5/kadm5.acl
>                 kadmind_port = 749
>                 max_life = 8h 0m 0s
>                 max_renewable_life = 7d 0h 0m 0s
>                 default_principal_flags = +preauth
>                 supported_enctypes = des-cbc-crc:normal
>         }
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>   




More information about the Kerberos mailing list