principal: Invalid argument while creating "foo@FOO".

Greg Hudson ghudson at MIT.EDU
Tue Dec 29 12:47:45 EST 2009


On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote:
> > Do you have RC4 ("arcfour-hmac-md5", etc.) configured in
> > your "supported_enctypes" on that KDC?
> 
> I don't understand why I would need to specify that (?)

Tom was asking that to verify that his understanding of your problem was
correct; he wasn't suggesting a workaround.

The problem is that addprinc -randkey works in an odd way: it creates
the principal with a dummy password (and a flag to disallow issuing of
tickets) and then asks the kadmin server to randomize the password.

In krb5 1.6, the dummy password is a 255-byte string containing all
possible byte values.  This is what causes the problem with a krb5 1.7
server if you're supporting RC4 keys, because that dummy password is not
valid UTF-8.  krb5 1.7 clients use a different dummy password which
doesn't have this problem.





More information about the Kerberos mailing list