[krbdev.mit.edu #4345] des-cbc-md5
Arlene Berry via RT
rt-comment at krbdev.mit.edu
Tue Sep 26 15:32:03 EDT 2006
For some time now I have noticed that if in krb5.conf you set
default_tkt_enctypes and default_tgs_enctypes to a single value of
des-cbc-md5, kinit fails with a KDC has no support for encryption type
message. Remove it or add another encryption type and kinit succeeds. I am
working with a third party kerberos/gssapi implementation, it receives the
same error, and there is no workaround for it.
In src/kdc/kdc_util.c there's a function dbentry_supports_etype which has a
hardcoded return value of 0 if the enctype parameter is des-cbc-md5. The
function which calls dbentry_supports_enctype is select_session_keytype also
in kdc_util.c and it then returns 0. The function which calls
select_session_keytype is process_as_req in src/kdc/do_as_req.c and it then
sets the KRB5KDC_ERR_ETYPE_NOSUPP error and creates the error message for
the client. I commented out the hardocded return 0 for des-cbc-md5 in
dbentry_supports_enctype, and then everything seemed to work.
The code takes this same path with both kinit and the third party kerberos
implementation. I happen to have my KDC configured for only the des-cbc-md5
enctype but I have seen the error message in the past when using multiple
enctypes.
_________________________________________________________________
Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip
More information about the krb5-bugs
mailing list