gss-client encryption types

Frank Balluffi frank.balluffi at db.com
Tue May 7 16:16:01 EDT 2002 

When I run gss-client and gss-server on NT 4, gss-server logs the error "Bad encryption type". KDC is Windows 2000.

service, which is named stmp, has key of encryption type des-cbc-md5.

krb5.ini contains:

default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5

"kinit client" returns krbtgt with encryption type des-cbc-md5

gss-client and gss-server are run as:

gss-server -port 8001 -once stmp
GSS-API error accepting context: Miscellaneous failure
GSS-API error accepting context: Bad encryption type

gss-client -port 8001 myhost stmp ls
Sending init_sec_context token (size=1132)...continue needed...
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: Generic error (see e-text)

When I debug gss-server, the server key encryption type is 3 (des-cbc-md5), but the ticket encryption type is 1 (des-cbc-crc) and krb5_c_decrypt returns KRB5_BAD_ENCTYPE on line 51 of lib/crypto/decrypt.c. The call stack is:

krb5_c_decrypt
krb5_decrypt_tkt_part
krb5_rd_req_decrypt_tkt_part
krb5_rd_req_decoded_opt
krb5_rd_req_decoded
krb5_rd_req
krb5_gss_accept_sec_context
gss_accept_sec_context
server_establish_context
sign_server
main

When I debug gss-client, get_credentials first requests a ticket of encryption type NULL and receives a ticket of encryption type des-cbc-md5, and secondly (using the hard-coded wanted_enctypes) successfully requests and receives a ticket of encryption type 1 (des-cbc-crc). klist -e shows this, too. wanted_enctypes looks like:

   static const krb5_enctype wanted_enctypes[] = {
#if 1
     ENCTYPE_DES3_CBC_SHA1,
#endif
     ENCTYPE_DES_CBC_CRC,
     ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
     0
   };

Even though I specified des-cbc-md5 in krb5.ini, the ticket of encryption type des-cbc-crc (not des-cbc-md5) is put into the token, which gss-client sends to gss-server.

I am able to force gss-client to work by modifying get_credentials to request a ticket of encryption type des-cbc-md5.

I have two questions:

1. Why does krb5_gss_init_sec_context pass the hard-coded wanted_enctypes to get_credentials even though krb5.ini, which was read, said otherwise?

2. Is there a way to force gss-client and/or the GSS-API to request and send a ticket of encryption type des-cbc-md5?

Thanks.

Frank


--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

More information about the krbdev mailing list