Hi all,
I'm trying to debug a problem where I've specifically asked for an
encryption type that I know my principal has an entry for, but I still
fail to get a ticket, and I am not getting a lot of good information
about what's happening. I'll describe the situation below, and I'd
welcome any feedback about the problem itself or how to gather more
information.
Thanks!
I've got a principal configured like so:
Number of keys: 6
Key: vno 27, DES with HMAC/sha1, no salt
Key: vno 27, DES cbc mode with RSA-MD5, no salt
Key: vno 27, DES cbc mode with CRC-32, Version 4
Key: vno 27, DES cbc mode with CRC-32, AFS version 3
Key: vno 27, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 27, ArcFour with HMAC/md5, no salt
Attributes: REQUIRES_PRE_AUTH
I've got a client configured like so:
[libdefaults]
default_tkt_enctypes = des3-hmac-sha1
default_tgs_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1
allow_weak_crypto = false
But, when I try to kinit, I get:
kinit: KDC has no support for encryption type while getting initial
credentials
My logs on the KDC clearly say the same thing:
krb5kdc[2783](info): AS_REQ (1 etypes {16}) 10.253.17.19:
BAD_ENCRYPTION_TYPE
Checking type 16, it's definitely des3-hmac-sha1.
This situation seems straightforward... why doesn't it work?
FWIW, the kdc.conf has:
supported_enctypes = des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:v4 des-cbc-crc:afs3 des3-hmac-sha1:normal arcfour-hmac:normal
And encryption types aren't mentioned anywhere else in kdc.conf.
Thanks all,
--
Martin B. Smith, Systems Administrator
[email protected] - (352) 273-1329
UF Information Technology, CNS/Open Systems Group
University of Florida
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
