problem with master_key_type = des3-cbc-sha1?

Will Fiveash william.fiveash at
Wed May 15 19:24:01 EDT 2002

Before I submit a bug I'd like to verify that what I am seeing is
really a bug and not a problem specific to my setup.  The thing that
I'm bothered by is the enctype associated with the master key.  I was
testing to make sure I can set it to des3-cbc-sha1.

I'm using MIT 1.2.5 and I've got the following in /etc/kdc.conf:

        MIT122.ENG.SUN.COM = {
                profile = /etc/krb5.conf
                database_name = /usr/local/var/krb5kdc/principal
                admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
                acl_file = /usr/local/var/krb5kdc/kadm5.acl
                kadmind_port = 749
                max_life = 8h 0m 0s
                master_key_type = des3-cbc-sha1
                supported_enctypes = des3-cbc-sha1:normal
                kdc_supported_enctypes = des3-cbc-sha1:normal
                max_renewable_life = 7d 0h 0m 0s

When I do:

/usr/local/sbin/kdb5_util create -r MIT122.ENG.SUN.COM -s

and then do a getprinc K/M at MIT122.ENG.SUN.COM I see:

Principal: K/M at MIT122.ENG.SUN.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed May 15 15:50:37 PDT 2002
(db_creation at MIT122.ENG.SUN.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Policy: [none]

Notice the Key: enctype is DES/CRC-32 and not DES3/SHA1.  I thought
that setting master_key_type = des3-cbc-sha1 for the specified realm
would cause the master key enctype to be DES3/SHA1.  Also note that if
I do (as root):

# /usr/local/sbin/kdb5_util create -r MIT122.ENG.SUN.COM -s -k des3-cbc-sha1

(notice the -k arg) and then:

# /usr/local/sbin/kadmin.local
Authenticating as principal fiveash/admin at MIT122.ENG.SUN.COM with
kadmin.local: Stored master key is corrupted while initializing kadmin.local 

So kadmin.local exits with an error when I force the use of
des3-cbc-sha1 for the master key.  Is this a MIT bug?

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list