e-type / kvno processing in 1.8
Russ Allbery
rra at stanford.edu
Mon Sep 27 15:47:55 EDT 2010
Tim Metz <tpmetz at ucdavis.edu> writes:
> We have in our MIT KDC some legacy principals that were imported from
> another commercial Kerberos product. For kvno=0, they have an unknown
> e-type. For kvno=1, they have an e-type "DES cbc mode with CRC-32,
> Version 4".
> Under MIT versions 1.6.3 and 1.7.1, running kinit against these
> principals is functional.
> Starting with MIT version 1.8 however, using the same import process for
> the principals, kinit fails as follows:
> kinit -k -t /etc/krb5.keytab host/hostname.example.com
> kinit(v5): KDC has no support for encryption type while getting initial
> credentials
> At first pass, the problem at least has the appearance that it could be
> related to kvno processing code. More specifically, in versions prior
> to 1.8 if a kvno=0 contained an unsupported encryption type, processing
> would continue to kvno=1 and succeed. Starting with version 1.8, it
> looks like if kvno=0 has an unsupported e-type, processing fails, and
> does not continue on to consult kvno=1.
I suspect you have a much simpler problem, namely that 1.8 disabled
support for DES by default. Try adding:
allow_weak_crypto = true
to the [libdefaults] section of krb5.conf for your KDCs and see if that
changes matters.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list