[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Enctype Problem

To: <heimdal-discuss@sics.se>
Subject: Enctype Problem
From: <Toby.Russell@vattenfall.de>
Date: Tue, 21 Mar 2006 08:26:03 +0100
Sender: owner-heimdal-discuss@sics.se
thread-index: AcZMPwef56Gf+qcsTTe74m3fKExupgAeVOQw
Thread-Topic: Enctype Problem

Hello Heimdalers,

Weird one. I can kinit from every machine in the realm execpt from the
kdc, unless my Principal includes single DES enc-types. As soon as I
have deleted all three single DESs from my principal, I get this:

kinit: KDC has no support for encryption type while getting initial
credentials

However, I can get aes-256 Tickets for that very same principal, from
that very same KDC, from other computers in the realm. From kdc.log:

2006-03-16T10:21:42 AS-REQ trussell@VATTENFALL.KRB.UNIX from
IPv4:10.20.28.57 for krbtgt/VATTENFALL.KRB.UNIX@VATTENFALL.KRB.UNIX
2006-03-16T10:21:42 Using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2006-03-16T10:21:42 Requested flags: renewable_ok 2006-03-16T10:21:42
sending 641 bytes to IPv4:10.20.28.57 2006-03-16T10:21:42 TGS-REQ
trussell@VATTENFALL.KRB.UNIX from IPv4:10.20.28.57 for
host/isuadm01.corp.vattenfall.de@VATTENFALL.KRB.UNIX
2006-03-16T10:21:42 sending 652 bytes to IPv4:10.20.28.57

Output from klist -e from 10.20.28.57:

Ticket cache: FILE:/tmp/krb5cc_2004
Default principal: trussell@VATTENFALL.KRB.UNIX

Valid starting     Expires            Service principal
03/16/06 10:23:39  03/17/06 10:23:39
krbtgt/VATTENFALL.KRB.UNIX@VATTENFALL.KRB.UNIX
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC,
AES-256 CTS mode with 96-bit SHA-1 HMAC

Output from "list -l trussell" from kadmin:

Principal: trussell@VATTENFALL.KRB.UNIX
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 0
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2006-03-16 09:40:06 UTC
             Modifier: tradmin/admin@VATTENFALL.KRB.UNIX
           Attributes: 
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)

Is this wierd problem one of those ugly, unpredictable thingies that
happen when one's realm is a mix of MIT and Heimdal (KDC is Heimdal)? I
am still in the test phase with this project, and started out with MIT
until it became clear that OpenLDAP works only with Heimdal, hence the
mix.

Any help, tips, advice, greatly appreiciated.

Cheers,

Toby

Follow-Ups:
- Re: Enctype Problem
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: selinux policy for heimdal and krb5cc cache
Next by Date: Re: selinux policy for heimdal and krb5cc cache
Prev by thread: Re: selinux policy for heimdal and krb5cc cache
Next by thread: Re: Enctype Problem
Index(es):
- Date
- Thread