e-type / kvno processing in 1.8

[Tim Metz]

Russ Allbery wrote:
> Tim Metz <tpmetz at ucdavis.edu> writes:
>
>   
>> We have in our MIT KDC some legacy principals that were imported from 
>> another commercial Kerberos product. For kvno=0, they have an unknown 
>> e-type.  For kvno=1, they have an e-type "DES cbc mode with CRC-32, 
>> Version 4".
>>     
>
>   
>> Under MIT versions 1.6.3 and 1.7.1, running kinit against these 
>> principals is functional.
>>     
>
>   
>> Starting with MIT version 1.8 however, using the same import process for 
>> the principals, kinit fails as follows:
>>     
>
>   
>> kinit -k -t /etc/krb5.keytab host/hostname.example.com
>> kinit(v5): KDC has no support for encryption type while getting initial 
>> credentials
>>     
>
>   
>> At first pass, the problem at least has the appearance that it could be 
>> related to kvno processing code.  More specifically, in versions prior 
>> to 1.8 if a kvno=0 contained an unsupported encryption type, processing 
>> would continue to kvno=1 and succeed.  Starting with version 1.8, it 
>> looks like if kvno=0 has an unsupported e-type, processing fails, and 
>> does not continue on to consult kvno=1.
>>     
>
> I suspect you have a much simpler problem, namely that 1.8 disabled
> support for DES by default.  Try adding:
>
>     allow_weak_crypto     = true
>
> to the [libdefaults] section of krb5.conf for your KDCs and see if that
> changes matters.
>
>   

Thanks, Russ.  I intended to include, and realized after sending that I 
hadn't, the information that we have "allow_weak_crypto = true" in the 
[libdefaults] section of our  kdc.conf and krb5.conf.  We can create 
principals with only "DES cbc mode with CRC-32", and successfully kinit 
against them, so I believe the KDC is supporting weak e-types.