Multiple ETYPE-INFO-ENTRY with same etype but different salts
Martin B. Smith
smithmb at ufl.edu
Sun Jul 17 10:09:28 EDT 2011
On 07/17/2011 03:18 AM, Weijun Wang wrote:
>> In this case, the etype-info2 entries are determined by the keys in
>> > the KDB records. The KDC administrator could change the
>> > supported_enctypes variable to include only one des-cbc-crc entry and
>> > then have the affected users change their passwords.
> The customer has tens of thousands of existing accounts and cannot do a
> simple password reset. Is it possible to remove the ETYPE-INFO-ENTRY
> with only realm as salt by reconfigure the KDC? Or, is there a tool to
> clean up the KDC records automatically?
>
> Thanks
> Max
Hi Greg & all,
First of all, thank you *very* much for your help with this issue. It's
been a severe hold-up for us in terms of upgrading various kerberized
clients (specifically Java).
Doesn't removing the offending enctype that is putting bad salts in the
KDB records just mask a bug with that enctype? We have brand new
principals that are affected by this issue every day, so it seems like
one of the enctypes is actually broken if it's generating invalid salt
values.
Our current list of supported enctype is:
supported_enctypes = des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:v4 des-cbc-crc:afs3 des3-hmac-sha1:normal arcfour-hmac:normal
As you can see, I think we *are* already listing 'normal' ones first.
How would you re-order that list to fix the problem? Would you just
remove the two latter des- entries?
Thanks again,
--
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida
More information about the krbdev
mailing list