CANT_FIND_CLIENT_KEY

Matt Zagrabelny mzagrabe at d.umn.edu
Tue Mar 30 20:13:21 EDT 2010 

On Tue, 2010-03-30 at 15:07 -0700, Russ Allbery wrote:
> Matt Zagrabelny <mzagrabe at d.umn.edu> writes:
> > On Tue, 2010-03-30 at 14:46 -0700, Russ Allbery wrote:
> 
> >> You need it on the client in addition to the server.
> 
> > Good to know. :)
> 
> > Unfortunately, the client is a Cisco Catalyst 3750. :/
> 
> > workstation% telnet.netkit switch3750
> > Trying 10.25.1.14...
> > 'autologin': unknown argument ('toggle ?' for help).
> > Connected to switch3750.d.umn.edu.
> > Escape character is '^]'.
> 
> Then that's probably not the problem.  The Cisco box almost certainly
> hasn't disabled DES (it's probably the only enctype that it supports).
> 
> Please show the getprinc output for your krbtgt/* key and the user
> principal that you're using.  I bet one or the other of them has no DES
> key.

Indeed.

kadmin.local:  getprinc mzagrabe
Principal: mzagrabe at D.UMN.EDU
Expiration date: [never]
Last password change: Wed Mar 24 15:44:13 CDT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Mar 30 16:27:51 CDT 2010 (root/admin at D.UMN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes:
Policy: [none]

kadmin.local:  getprinc krbtgt/D.UMN.EDU
Principal: krbtgt/D.UMN.EDU at D.UMN.EDU
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Sep 05 14:08:25 CDT 2009 (db_creation at D.UMN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

it looks like the mzagrabe principle is missing the:

Key: vno 1, DES cbc mode with CRC-32, no salt

How would I add that key to the principle?

Thanks,

-matt

More information about the Kerberos mailing list