Encryption Type wrong
Jan Sanders
jsanders at TechFak.Uni-Bielefeld.DE
Thu May 8 06:07:19 EDT 2008
Hi,
noone has any ideas? Maybe s.o. knows where I can find an appropriate
forum/list on the Sun Microsystems site. I was unable to find one. I
only found blogs on Kerberos topics.
cheers
Jan Sanders
Jan Sanders wrote:
> Hello,
>
> I am having a little problem here. I am running a KDC on Solaris and a
> number of clients on GNU/Linux. For both the KDC and the
> Kerberos-Clients I have configured them to use only the
> dec-crc-cbc:default encryption type.
> When creating a principal on the server using addprinc wo/-e
> des-cbc-crc:default the principal is created with 4 keys. getprinc reveals:
>
> Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
> Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 21, ArcFour with HMAC/md5, no salt
> Key: vno 21, DES cbc mode with RSA-MD5, no salt
>
> If I use addprinc -e des-cbc-crc:normal then I get the desired
> Key: vno 22, DES cbc mode with CRC-32, no salt
>
> The same goes for cpw.
>
> This I could live with since the group of users having admin privileges
> is very small.
>
> But the ordinary user once in a while wants to change the password and
> will use kpasswd. kpasswd does not have the ability to choose the
> encryption type and then a users ends up not having a key with
> des-cbc-crc:normal. Unfortunately GNU/Linux kinit breaks if the KDC does
> not have a key with the des-cbc-crc:normal encryption type in store.
>
>
> Any help appreciated
>
> cheers
>
> Jan Sanders
>
> The config files following.
>
> The krb5.conf on the GNU/Linux client:
> [libdefaults]
> default_realm = MY.DOMAIN
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
>
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> MY.DOMAIN = {
> kdc = kdc.my.domain
> admin_server = kdc.my.domain
> }
>
> [domain_realm]
> my.domain = MY.DOMAIN
> .my.domain = MY.DOMAIN
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
>
>
>
> The kdc.conf on the Solaris machine:
>
> [libdefaults]
> default_realm = MY.DOMAIN
> default_keytab_name = /etc/krb5/krb5.keytab
>
> [kdcdefaults]
> kdc_ports = 88,750
>
> [realms]
> MY.DOMAIN = {
> profile = /etc/krb5/krb5.conf
> database_name = /var/krb5/principal
> admin_keytab = /etc/krb5/kadm5.keytab
> acl_file = /etc/krb5/kadm5.acl
> kadmind_port = 749
> max_life = 8h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> default_principal_flags = +preauth
> supported_enctypes = des-cbc-crc:normal
> }
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list