principal: Invalid argument while creating "foo@FOO".
Jeffrey Altman
jaltman at secure-endpoints.com
Tue Dec 29 13:02:31 EST 2009
On 12/29/2009 12:47 PM, Greg Hudson wrote:
> On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote:
>>> Do you have RC4 ("arcfour-hmac-md5", etc.) configured in
>>> your "supported_enctypes" on that KDC?
>>
>> I don't understand why I would need to specify that (?)
>
> Tom was asking that to verify that his understanding of your problem was
> correct; he wasn't suggesting a workaround.
>
> The problem is that addprinc -randkey works in an odd way: it creates
> the principal with a dummy password (and a flag to disallow issuing of
> tickets) and then asks the kadmin server to randomize the password.
>
> In krb5 1.6, the dummy password is a 255-byte string containing all
> possible byte values. This is what causes the problem with a krb5 1.7
> server if you're supporting RC4 keys, because that dummy password is not
> valid UTF-8. krb5 1.7 clients use a different dummy password which
> doesn't have this problem.
May I suggest that in order to provide for backward compatibility that
kadmin recognize the
well-known dummy password and the use of the disallow-tickets flag and
replace the dummy
password with one that will succeed.
Jeffrey Altman
More information about the Kerberos
mailing list