BAD_ENCRYPTION_TYPE problem

Abhilash S abhilashvkm at gmail.com
Thu Jan 17 17:36:43 EST 2013 

Hello,

We have some issues with "des-cbc-md5" encryption in key tab auth.
When we try to use key tab, KDC throwing error as BAD_ENCRYPTION_TYPE .
we have "*allow_weak_crypto = true" *in the krb config file which is
mentioned below
I have renamed realm name with "EX.COM" in config
kdc version : 1.10.3


*KDC log*

Jan 17 14:15:03 server1.com krb5kdc[13369](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 17.209.17.81: NEEDED_PREAUTH: abhilash at EX.COM for krbtgt/
EX.COM at EX.COM, Additional pre-authentication required

Jan 17 14:15:06 server1.com krb5kdc[13369](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) : ISSUE: authtime 1358460906, etypes {rep=18 tkt=18 ses=18},
abhilash at EX.COM for krbtgt/EX.COM at EX.COM

Jan 17 14:15:33 server1.com krb5kdc[13369](info): TGS_REQ (1 etypes {3}) :
BAD_ENCRYPTION_TYPE: authtime 0,  abhilash at EX.COM for nfs/
test_keytab.com at EX.COM, KDC has no support for encryption type


*key tab entry:*

Keytab name: WRFILE:test.keytab

KVNO Timestamp         Principal

---- -----------------
--------------------------------------------------------

   2 01/17/13 11:27:36 nfs/test.com at EX.COM (des-cbc-md5)


*KDC entry:*

kadmin.local:  getprinc nfs/test.com at EX.COM

Principal: nfs/test.com at EX.COM

Expiration date: [never]

Last password change: Thu Jan 17 11:27:36 PST 2013

Password expiration date: [none]

Maximum ticket life: 0 days 02:00:00

Maximum renewable life: 0 days 10:00:00

Last modified: Thu Jan 17 11:27:36 PST 2013 (root/admin at EX.COM)

Last successful authentication: [never]

Last failed authentication: [never]

Failed password attempts: 0

Number of keys: 1

*Key: vno 2, des-cbc-md5, no salt*

MKey: vno 1

Attributes: REQUIRES_PRE_AUTH

Policy: [none]



*krb5.conf:*


[libdefaults]

   default_realm = EX.COM

   ticket_lifetime = 600

        *allow_weak_crypto = true*


[realms]

       EX.COM = {

  kdc=server1.com:4160

  admin_server=server1.com:4160

          default_domain = server1.com

        }



[domain_realm]

        .server1.com = EX.COM

         server1.com = EX.COM


[logging]

    kdc = FILE:/ngs/log/kdc.log

        admin_server = FILE:/ngs/log/kadmin.log

        default = FILE:/ngs/log/krb5lib.log




-- 
Thanks & Regards,

Abhilash.S

More information about the krbdev mailing list