permitted_enctypes = "des-cbc-crc" triggers 'kinit: Generic error (see e-text) while getting initial credentials'
ольга крыжановская
olga.kryzhanovska at gmail.com
Fri Mar 21 06:16:31 EDT 2014
Plain des-cbc-crc only authentication doesn't seem to be supported, any more:
$ kadmin
Authenticating as principal root/admin at MINIPAX.TERRORONWAR.ORG with password.
kadmin: KDC has no support for encryption type while initializing
kadmin interface
Olga
On Thu, Mar 20, 2014 at 11:32 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> On Thu, 20 Mar 2014, Wendy Lin wrote:
>
>> I have this in my Suse 11.3 /etc/krb.conf for libdefaults:
>>
>> allow_weak_crypto = true
>> # permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1
>> aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"
>> permitted_enctypes = "des-cbc-crc"
>>
>> Now if I try to kinit I get this error:
>>
>> kinit
>> kinit: Generic error (see e-text) while getting initial credentials
>
> If your client is only trying to use des-cbc-crc (a bad idea, see RFC
> 6649) but the KDC does not have a key for your principal of that enctype,
> attempting to get a ticket cannot succeed -- there is no key that both
> parties will use to secure the communication.
>
> -Ben Kaduk
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
, _ _ ,
{ \/`o;====- Olga Kryzhanovska -====;o`\/ }
.----'-/`-/ olga.kryzhanovska at gmail.com \-`\-'----.
`'-..-| / http://twitter.com/fleyta \ |-..-'`
/\/\ Solaris/BSD//C/C++ programmer /\/\
`--` `--`
More information about the Kerberos
mailing list