On Wednesday, October 11, 2006 06:20:30 PM -0500 John Hascall
wrote:

>
>
>> >> Except the issue here is he's getting a DES_CBC_MD4 session key when
>> >> he wants DES_CBC_CRC. The "why" is likely in the code you're quoting
>> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support
>> >> it (since the single-des types are interchangeable).
>> >
>> >> I'd be curious to know how the resulting ticket is not "useful"; that
>> >> is, what application is being used and what error results when
>> >> attempting to use that ticket.
>> >
>> > Here is the error reported by the user:
>> >
>> > $ telnet -fax cerberus.ait.iastate.edu
>> > Encryption is verbose
>> > Trying 129.186.145.115...
>> > Connected to cerberus.ait.iastate.edu.
>> > Escape character is '^]'.
>> > [ Trying mutual KERBEROS5
>> > (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ] [ Kerberos V5 refuses
>> > authentication because telnetd:
>> > krb5_rd_req failed: Encryption type not permitted ]
>> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ]
>> > [ Kerberos V5 refuses authentication because telnetd:
>> > krb5_rd_req failed: Encryption type not permitted ]
>>
>> Is the telnetd also heimdal? That sounds like either the machine
>> running telnetd is configured to require des-cbc-crc, or its keytab
>> contains only a des-cbc-crc key. You can fix the latter problem by
>> using ktutil to copy the keytab to a v4 srvtab and back.
>
> Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.

Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as
interchangeable in a variety of cases, and Heimdal does not. So if you
have an MIT KDC and Heimdal application servers, then a principal with a
des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.

-- Jeff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

> >> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support
> >> >> it (since the single-des types are interchangeable).
> >> >
> >> >> I'd be curious to know how the resulting ticket is not "useful"; that
> >> >> is, what application is being used and what error results when
> >> >> attempting to use that ticket.
> >> >
> >> > Here is the error reported by the user:
> >> >
> >> > $ telnet -fax cerberus.ait.iastate.edu
> >> > Encryption is verbose
> >> > Trying 129.186.145.115...
> >> > Connected to cerberus.ait.iastate.edu.
> >> > Escape character is '^]'.
> >> > [ Trying mutual KERBEROS5
> >> > (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ] [ Kerberos V5 refuses
> >> > authentication because telnetd:
> >> > krb5_rd_req failed: Encryption type not permitted ]
> >> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu@IASTATE.EDU)... ]
> >> > [ Kerberos V5 refuses authentication because telnetd:
> >> > krb5_rd_req failed: Encryption type not permitted ]
> >>
> >> Is the telnetd also heimdal? That sounds like either the machine
> >> running telnetd is configured to require des-cbc-crc, or its keytab
> >> contains only a des-cbc-crc key. You can fix the latter problem by
> >> using ktutil to copy the keytab to a v4 srvtab and back.
> >
> > Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.
>
> Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as
> interchangeable in a variety of cases, and Heimdal does not. So if you
> have an MIT KDC and Heimdal application servers, then a principal with a
> des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.

Well, that's just icky.

I was able to solve the problem by adding the following line to the KDC's
krb5.conf file:

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 \
des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc


Thanks,
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos