Encryption Type wrong
- From: Jan Sanders <jsanders@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Apr 2008 15:11:21 +0200
Hello,
I am having a little problem here. I am running a KDC on Solaris and a number of clients on GNU/Linux. For both the KDC and the Kerberos-Clients I have configured them to use only the dec-crc-cbc:default encryption type.
When creating a principal on the server using addprinc wo/-e des-cbc-crc:default the principal is created with 4 keys. getprinc reveals:
Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 21, ArcFour with HMAC/md5, no salt
Key: vno 21, DES cbc mode with RSA-MD5, no salt
If I use addprinc -e des-cbc-crc:normal then I get the desired
Key: vno 22, DES cbc mode with CRC-32, no salt
The same goes for cpw.
This I could live with since the group of users having admin privileges is very small.
But the ordinary user once in a while wants to change the password and will use kpasswd. kpasswd does not have the ability to choose the encryption type and then a users ends up not having a key with des-cbc-crc:normal. Unfortunately GNU/Linux kinit breaks if the KDC does not have a key with the des-cbc-crc:normal encryption type in store.
Any help appreciated
cheers
Jan Sanders
The config files following.
The krb5.conf on the GNU/Linux client:
[libdefaults]
default_realm = MY.DOMAIN
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MY.DOMAIN = {
kdc = kdc.my.domain
admin_server = kdc.my.domain
}
[domain_realm]
my.domain = MY.DOMAIN
.my.domain = MY.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
The kdc.conf on the Solaris machine:
[libdefaults]
default_realm = MY.DOMAIN
default_keytab_name = /etc/krb5/krb5.keytab
[kdcdefaults]
kdc_ports = 88,750
[realms]
MY.DOMAIN = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
supported_enctypes = des-cbc-crc:normal
}
.
- Prev by Date: krb5 packages available for Maemo OS2008 (Nokia N800/N810)
- Next by Date: Two enctype questions
- Previous by thread: krb5 packages available for Maemo OS2008 (Nokia N800/N810)
- Next by thread: Two enctype questions
- Index(es):
Relevant Pages
|
|
