Encryption type troubles

Martin B. Smith smithmb at ufl.edu
Fri Sep 14 13:41:04 EDT 2012


Hi all,

I'm trying to debug a problem where I've specifically asked for an 
encryption type that I know my principal has an entry for, but I still 
fail to get a ticket, and I am not getting a lot of good information 
about what's happening. I'll describe the situation below, and I'd 
welcome any feedback about the problem itself or how to gather more 
information.

Thanks!

I've got a principal configured like so:

Number of keys: 6
Key: vno 27, DES with HMAC/sha1, no salt
Key: vno 27, DES cbc mode with RSA-MD5, no salt
Key: vno 27, DES cbc mode with CRC-32, Version 4
Key: vno 27, DES cbc mode with CRC-32, AFS version 3
Key: vno 27, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 27, ArcFour with HMAC/md5, no salt
Attributes: REQUIRES_PRE_AUTH

I've got a client configured like so:

[libdefaults]
    default_tkt_enctypes = des3-hmac-sha1
    default_tgs_enctypes = des3-hmac-sha1
    permitted_enctypes = des3-hmac-sha1
    supported_enctypes = des3-hmac-sha1
    allow_weak_crypto = false

But, when I try to kinit, I get:

kinit: KDC has no support for encryption type while getting initial 
credentials

My logs on the KDC clearly say the same thing:

krb5kdc[2783](info): AS_REQ (1 etypes {16}) 10.253.17.19: 
BAD_ENCRYPTION_TYPE

Checking type 16, it's definitely des3-hmac-sha1.

This situation seems straightforward... why doesn't it work?

FWIW, the kdc.conf has:

         supported_enctypes =  des-hmac-sha1:normal des-cbc-md5:normal 
des-cbc-crc:v4 des-cbc-crc:afs3 des3-hmac-sha1:normal arcfour-hmac:normal

And encryption types aren't mentioned anywhere else in kdc.conf.

Thanks all,
-- 
Martin B. Smith, Systems Administrator
smithmb at ufl.edu - (352) 273-1329
UF Information Technology, CNS/Open Systems Group
University of Florida



More information about the Kerberos mailing list