Thanks to Ken Grady for his help. It turns out that Red Hat does not list des3-hmac-sha1 as a supported encryption type in the kdc.conf they ship. However, this seems to be one of the default encryption types used by clients, thus causing problems. I changed the list of supported encryption types (supported_enctypes) in kdc.conf to the two that a stock MIT kdc.conf has (des3-hmac-sha1:normal des-cbc-crc:normal), as well as changed the master_key_type from the Red Hat specified des-cbc-crc to the stock des3-hmac-sha1 (which required rebuilding my database) and all works well now.
Thanks again to Ken for the help. Jason Jason Heiss wrote: > I'm trying setup a script to run kadmin without entering a password. I'm > attempting to follow the directions in the Kerberos FAQ and keep running > into the same error no matter what I try. Namely: > > # kadmin -k > Authenticating as principal [EMAIL PROTECTED] with > default keytab. > kadmin: Bad encryption type while initializing kadmin interface > > or > > # kinit -S kadmin/admin -k host/foo.example.edu > kinit(v5): Bad encryption type while getting initial credentials > > I've tried the host principle, I've tried creating a service principle, > I tried creating just root/admin, doesn't seem to matter. > > Any suggestions? I really don't want to have to resort to feeding a > password to kadmin on the command line. > > Thanks, > > Jason >
