[krbdev.mit.edu #2155] krb5-1.3.x testing with default_tgs_enctypesin krb5.conf

DEEngert@anl.gov via RT rt-comment at krbdev.mit.edu
Mon Feb 2 12:08:21 EST 2004 

Here is some more insite. It looks like a TGT can be requested by the 
initiator (gss terms) which has enctypes the initiator believes 
the acceptor can use. It is then delegated, and stored in the cache. 
When some other applicaiton  goes to use the delegated TGT, 
it may not be found if default_*enctypes does not containe the 
enctypes used in the TGT. 

By updating the krb5.conf on 1.2.8: 

      default_tkt_enctypes = des-cbc-crc,des-cbc-md5
      default_tgs_enctypes = des-cbc-crc,des-cbc-md5,des3-cbc-sha1 

and the krb5.conf on 1.3.2:

     default_tkt_enctypes = des-cbc-crc,des-cbc-md5,des3-cbc-sha1,arcfour-hmac-md5
     default_tgs_enctypes = des-cbc-crc,des-cbc-md5,des3-cbc-sha1,arcfour-hmac-md5

I think I can do as best as expected during a transition to using 1.3.x 
everywhere. At that time I believe we can put the arcfour-hmac-md5 first
in the list.  


Jeffrey Altman via RT wrote:
> 
> The following is a comment from Doug from a thread on why he is unable
> to delegate tickets vis GSSAPI from Kerberos for Windows.  We originally
> thought the problem was caused by the Ticket importation via the new
> MSLSA krb5_ccache type.  However, this makes it clear that the problem
> is elsewhere:
> 
> By removing "default_tkt_enctypes" and "default_tgs_enctypes" in the
> krb5.ini,
> gssapi can get forwardable TGTs. I think the problem may be in the
> fwd_tgt.c
> where it is trying to guess what etype the host can handle.
> 
> In the following 2 examples the TGT to be forwarded is obtained from the
> MS AD. The hosts are in the MIT realm.
> 
> This is strange because on one host the host principal in the MIT realm
> has only a des-cbc-crc key, and this is what was in the "default_*_enctypes"
> and that is is what is finally returned in the forwarded TGT. But it
> only works if I remove the "default_*_enctypes"
> 
> In the other host the host principal has both a 3des and a des-cbc-crc key,
> yet the forward TGT has RC4-HMAC.  The system is running krb5-1.2.8 and
> does not understand rc4-hmac! (This system needs to be updated to 1.3.x)
> 
> I believe that the fwd_tgt.c code is confused. But there is no
> debugging output, and the gssapi silently continues if delegation
> fails. It may have been confused, because the imported TGT had RC4-HMAC,
> which was not in its list of "default_*_enctypes". If I let Leash
> get the tickets, it ownered the "default_*_enctypes" and gets an initial
> TGT with des-cbc-crc.
> 
> So I am running without the "default_*_enctypes" for now.
> 
> Doug
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krb5-bugs mailing list