> >> Except the issue here is he's getting a DES_CBC_MD4 session key when he > >> wants DES_CBC_CRC. The "why" is likely in the code you're quoting - > >> DES_CBC_MD4 is a "better" enctype, and both sides appear to support it > >> (since the single-des types are interchangeable). > > > >> I'd be curious to know how the resulting ticket is not "useful"; that > >> is, what application is being used and what error results when > >> attempting to use that ticket. > > > > Here is the error reported by the user: > > > > $ telnet -fax cerberus.ait.iastate.edu > > Encryption is verbose > > Trying 129.186.145.115... > > Connected to cerberus.ait.iastate.edu. > > Escape character is '^]'. > > [ Trying mutual KERBEROS5 (host/[EMAIL PROTECTED])... ] > > [ Kerberos V5 refuses authentication because telnetd: > > krb5_rd_req failed: Encryption type not permitted ] > > [ Trying KERBEROS5 (host/[EMAIL PROTECTED])... ] > > [ Kerberos V5 refuses authentication because telnetd: > > krb5_rd_req failed: Encryption type not permitted ] > > Is the telnetd also heimdal? That sounds like either the machine running > telnetd is configured to require des-cbc-crc, or its keytab contains only a > des-cbc-crc key. You can fix the latter problem by using ktutil to copy > the keytab to a v4 srvtab and back.
Yes, the keytab has only a des-cbc-crc key as that's all the KDB has. John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
