problem with master_key_type = des3-cbc-sha1?

Sam Hartman hartmans at MIT.EDU
Thu May 16 12:33:01 EDT 2002

>>>>> "Will" == Will Fiveash <william.fiveash at> writes:

    Will> On Thu, May 16, 2002 at 09:32:29AM -0400, Sam Hartman wrote:
    >> I think you wanted des3-hmac-sha1 not des3-cbc-sha1.

    Will> This didn't help.  If I set master_key_type = des3-hmac-sha1
    Will> and use:

As you point out below I'm confused and they are aliases.

I never can remember what's a valid alias and the code is really bad
about ignoring enctypes it doesn't understand.

    Will>    /usr/local/sbin/kdb5_util create -r MIT122.ENG.SUN.COM -s

    Will> the enctype associated with K/M at MIT122.ENG.SUN.COM is
    Will> ENCTYPE_DES_CBC_CRC.  If I do:

    Will>    /usr/local/sbin/kdb5_util create -r MIT122.ENG.SUN.COM -s
    Will> -k des3-hmac-sha1

    Will> then kadmin.local returns this error message:

    Will> Authenticating as principal
    Will> hooshang/admin at MIT122.ENG.SUN.COM with password.
    Will> kadmin.local: Stored master key is corrupted while
    Will> initializing kadmin.local interface

    Will> Can you get the enctype for K/M at REALM to be des3-hmac-sha1?
    Will> Does kadmin.local, kadmin and kdc work?  I'm also wondering
    Will> what the default enctype for the master key should be.  
Yes.  My Debian packages do this by default.

I end up with a kdc.conf like the following:

default_realm = SUCHDAMAGE.ORG
              kdc_ports = 750,88

              SUCHDAMAGE.ORG = {
                               database_name = /var/lib/krb5kdc/principal
                                               admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
                                                              acl_file = /etc/krb5kdc/kadm5.acl
                                                                         key_stash_file = /etc/krb5kdc/stash
                                                                                          kdc_ports = 750,88
                                                                                                      max_life = 10h 0m 0s
                                                                                                                 max_renewable_life = 7d 0h 0m 0s
                                                                                                                                      master_key_type = des3-hmac-sha1
                                                                                                                                                        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
                                                                                                                                                                             default_principal_flags = +preauth

kadmin.local, kadmind and krb5kdc all work; getprinc on K/M show a
des3 enctype.

More information about the krbdev mailing list