[krbdev.mit.edu #2155] krb5-1.3.x testing with default_tgs_enctypes in krb5.conf

[DEEngert@anl.gov via RT]

With krb5-1.3.2-beta2 and krb5-1.3.1 on Solaris 5.7 if the krb5.conf has 
default_tgs_enctypes = des-cbc-crc kadmin fails.  It works with krb5-1.2.8.

I think this is a similiar problem to what I was seeing with KfW. My 
circumvention it to drop the use of the default_*_enctypes.   

It appears that in 1.3.1 or 1.3.2-beta when the AS_AS_REQ is issued the 
default_tgs_enctypes is ignored.  

With or without the default_tgs_enctypes It looks like the KDC issues a ticket:

Jan 23 13:43:05 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (4 etypes {16 23 3 1}) 
146.137.180.252(88): ISSUE: authtime 1074886985,etypes {rep=16 tkt=16 ses=16}, 
b17783/admin at KRB5.ANL.GOV for kadmin/admin at KRB5.ANL.GOV

But once the ticket is received, it fails as the ticket has rep=16 and ses=16
which is not in the default_tgs_enctypes.

/krb5/sbin/kadmin -r KRB5.ANL.GOV -p b17783/admin at KRB5.ANL.GOV
Authenticating as principal b17783/admin at KRB5.ANL.GOV with password.
Password for b17783/admin at KRB5.ANL.GOV: 
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface


With krb5-1.2.8 it works as expected:

With the default_tgs_enctypes = des-cbc-crc:

Jan 23 13:53:23 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (1 etypes {1}) 
146.137.180.252(88): ISSUE: authtime 1074887603, etypes {rep=1 tkt=16 ses=1}, 
b17783/admin at KRB5.ANL.GOV for kadmin/admin at KRB5.ANL.GOV


Without the default_tgs_enctypes:

Jan 23 13:54:23 chimera.ctd.anl.gov krb5kdc[324]: AS_REQ (3 etypes {16 3 1})
146.137.180.252(88): ISSUE: authtime 1074887663, etypes {rep=16 tkt=16 ses=16},
b17783/admin at KRB5.ANL.GOV for kadmin/admin at KRB5.ANL.GOV


The user, krbtgt and kadmin/admin all have both des-cbc-crc and des3-cbc-sha1
keys.  



-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444