Encryption type troubles
Marcus Watts
mdw at umich.edu
Fri Sep 14 13:56:13 EDT 2012
> Date: Fri, 14 Sep 2012 13:41:04 EDT
> To: kerberos at mit.edu
> From: "Martin B. Smith" <smithmb at ufl.edu>
> Subject: Encryption type troubles
>
> Hi all,
>
> I'm trying to debug a problem where I've specifically asked for an=20
> encryption type that I know my principal has an entry for, but I still=20
> fail to get a ticket, and I am not getting a lot of good information=20
> about what's happening. I'll describe the situation below, and I'd=20
> welcome any feedback about the problem itself or how to gather more=20
> information.
>
> Thanks!
>
> I've got a principal configured like so:
>
> Number of keys: 6
> Key: vno 27, DES with HMAC/sha1, no salt
> Key: vno 27, DES cbc mode with RSA-MD5, no salt
> Key: vno 27, DES cbc mode with CRC-32, Version 4
> Key: vno 27, DES cbc mode with CRC-32, AFS version 3
> Key: vno 27, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 27, ArcFour with HMAC/md5, no salt
> Attributes: REQUIRES_PRE_AUTH
2 things,
1 try reordering the enc types. You want strongest first,
weakest last. I don't think that matters much here,
but it's a good general practice.
2 check your krbtgt key types (and any other service tickets
you want to get.) You won't be able to get a service ticket
for a given enc type if the service doesn't have a key for
that enc type. (It will probably always be encrypted
with the *first* key - which is where and why the principal
key order matters.)
-Marcus Watts
More information about the Kerberos
mailing list