principal: Invalid argument while creating "foo@FOO".
Greg Hudson
ghudson at MIT.EDU
Tue Dec 29 12:47:45 EST 2009
On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote:
> > Do you have RC4 ("arcfour-hmac-md5", etc.) configured in
> > your "supported_enctypes" on that KDC?
>
> I don't understand why I would need to specify that (?)
Tom was asking that to verify that his understanding of your problem was
correct; he wasn't suggesting a workaround.
The problem is that addprinc -randkey works in an odd way: it creates
the principal with a dummy password (and a flag to disallow issuing of
tickets) and then asks the kadmin server to randomize the password.
In krb5 1.6, the dummy password is a 255-byte string containing all
possible byte values. This is what causes the problem with a krb5 1.7
server if you're supporting RC4 keys, because that dummy password is not
valid UTF-8. krb5 1.7 clients use a different dummy password which
doesn't have this problem.
More information about the Kerberos
mailing list