KDC has no support for encryption type

Brian J. Murrell brian at interlinx.bc.ca
Tue Mar 16 08:23:49 EDT 2010 

Hello everyone.

I've just recently upgraded my distro which included an upgrade of MIT
kerberos to (debian version) "1.8+dfsg~alpha1-7" which I'm assuming is
some kind of 1.8 (pre-)release.

Since that upgrade, my NFS4 mounts no longer work.  On the KDC I am
getting:

00:20:43 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0,  nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:20:43 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0,  nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0,  nfs/pc.xxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: BAD_ENCRYPTION_TYPE: authtime 0,  nfs/pc.xxxx.com at ILINX for nfs/linux.xxx.com at ILINX, KDC has no support for encryption type

Other keys seem to be working fine still:

$ rsh -x linux uname
This rsh session is encrypting input/output data transmissions.
Linux

Where the KDC reports for the above:

krb5kdc: AS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: authtime 1268740114, etypes {rep=16 tkt=16 ses=16}, brian at ILINX for krbtgt/ILINX at ILINX
krb5kdc: TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: authtime 1268740114, etypes {rep=16 tkt=16 ses=16}, brian at ILINX for host/pc.xxx.com at ILINX

My keytab has the following credentials:

$ sudo klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 nfs/pc.xxx.com at ILINX (Triple DES cbc mode with HMAC/sha1) 
   2 nfs/pc.xxx.com at ILINX (DES cbc mode with CRC-32) 
   4 host/pc.xxx.com at ILINX (Triple DES cbc mode with HMAC/sha1) 
   4 host/pc.xxx.com at ILINX (DES cbc mode with CRC-32) 

It seems to me that there is some mismatch between key types and what's
supported but I can't for the life of me figure out where.

krb5.conf on pc.xxx.com has:

[libdefaults]
        dns_lookup_realm = true
        dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

#	default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#	default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#	permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5


# The following libdefaults parameters are only for Heimdal Kerberos.
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
	ILINX = {
		kdc = kerberos.xxx.com
		admin_server = kerberos.xxx.com
	}
...
[domain_realm]
...
        .ilinx = ILINX
        .xxx.com = ILINX


[login]
	krb4_convert = true
	krb4_get_tickets = false

kdc.conf on the KDC has:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    ILINX = {
        database_name = /etc/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        #dict_file = /usr/share/dict/words
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Any ideas at all would be much appreciated.

Thanx,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100316/dfd749e6/attachment.bin

More information about the Kerberos mailing list