On Tue, Sep 20, 2022 at 12:56:51PM -0700, Russ Allbery wrote:
> Wouter Verhelst <w...@uter.be> writes:
> > On Tue, Sep 20, 2022 at 11:43:40AM -0400, Greg Hudson wrote:
>
> >> From experience, this probably means you have a single-DES enctype
> >> listed in supported_enctypes and are using release 1.18. (In 1.17 or
> >> previous the enctype would be recognized; in 1.19 or later the library
> >> would ignore the enctype rather than failing out.) Remove the
> >> single-DES enctype and kadmind should start working again.
>
> > So, supported_enctypes is not even in the krb5.conf file; I assume that
> > means it then reverts to defaults?
>
> That's your krb5.conf, but the error message is about your kdc.conf
> (/etc/krb5kdc/kdc.conf). It has its own separate supported_enctypes
> setting.
My kdc.conf currently looks like this:
-----
[kdcdefaults]
kdc_ports = 750,88
[realms]
GREP.BE = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
default_principal_flags = +preauth
default_principal_expiration = 0
}
-----
Adding a line "supported_enctypes = DEFAULT" in either the "kdcdefaults"
or "GREP.BE" section did not fix the issue.
It might be the "master_key_type" thing? But the issue exists in 1.17, too.
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
I will have a Tin-Actinium-Potassium mixture, thanks.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
