On 12/28/2009 10:17 PM, Tom Yu wrote:
> Jeff Blaine<jbla...@kickflop.net> writes:
>
>> On 12/28/2009 9:41 PM, Tom Yu wrote:
>>> Jeff Blaine<jbla...@kickflop.net> writes:
>>>
>>>> No, that works fine.
>>>
>>> When running kadmin remotely, does "addprinc" without "-randkey"
>>> succeed?
>>
>> Yup.
>
> This is probably a known bug, #6074. It was fixed in krb5-1.7, but
> not back-ported to 1.6.x. Basically, krb5-1.7 causes the RC4
> string-to-key to perform a proper UTF-8 conversion, and the "dummy"
> password that kadmin uses for performing the "addprinc -randkey"
> operation contains octet sequences that are not valid UTF-8. It's
> kind of an impedance mismatch between krb5-1.7 and earlier kadmin
> clients. Do you have RC4 ("arcfour-hmac-md5", etc.) configured in
> your "supported_enctypes" on that KDC?
I don't understand why I would need to specify that (?)
For example, this principal was created on the KDC box
via the same MIT 1.7 install tree that the KDC runs with:
Principal: krbtgt/f...@foo
...
Number of keys: 4
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt <-----------
MKey: vno 1
...
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
