e-type / kvno processing in 1.8

Russ Allbery rra at stanford.edu
Mon Sep 27 15:47:55 EDT 2010


Tim Metz <tpmetz at ucdavis.edu> writes:

> We have in our MIT KDC some legacy principals that were imported from 
> another commercial Kerberos product. For kvno=0, they have an unknown 
> e-type.  For kvno=1, they have an e-type "DES cbc mode with CRC-32, 
> Version 4".

> Under MIT versions 1.6.3 and 1.7.1, running kinit against these 
> principals is functional.

> Starting with MIT version 1.8 however, using the same import process for 
> the principals, kinit fails as follows:

> kinit -k -t /etc/krb5.keytab host/hostname.example.com
> kinit(v5): KDC has no support for encryption type while getting initial 
> credentials

> At first pass, the problem at least has the appearance that it could be 
> related to kvno processing code.  More specifically, in versions prior 
> to 1.8 if a kvno=0 contained an unsupported encryption type, processing 
> would continue to kvno=1 and succeed.  Starting with version 1.8, it 
> looks like if kvno=0 has an unsupported e-type, processing fails, and 
> does not continue on to consult kvno=1.

I suspect you have a much simpler problem, namely that 1.8 disabled
support for DES by default.  Try adding:

    allow_weak_crypto     = true

to the [libdefaults] section of krb5.conf for your KDCs and see if that
changes matters.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list