Applying policy results in Bad encryption type
BuzzSaw Code
buzzsaw.code at gmail.com
Tue Mar 12 15:53:18 EDT 2024
We did a server replacement of our master KDC that had been on RHEL7
for years to finally upgrade to RHEL8. We did a dump of the database
prior to the swap, we still have the old server sitting around as
well. Principal database is on disk in old db2 style. Kerberos
version is 1.18 for RHEL8, RHEL7 version is 1.15.
Everything went smooth, except any attempt to change a password results in:
"change_password: Bad encryption type while changing password for < principal >"
Doesn't matter if it is done over the network or with kadmin.local.
If we unset the password policy for an account (modprinc -clearpolicy)
we can change the password, but this isn't ideal.
- We disabled FIPS and RHEL8 new crypto policies which gave no change
- We restored the database again, with no change in behavior.
- We removed policies from all accounts, removed all policies,
recreated all policies, and re-applied all the policies to every
account. No change.
I'm stumped and have been trying different things for about 12 hours - help ?
More information about the Kerberos
mailing list