Bug 573968

Summary: kinit: KDC has no support for encryption type while getting initial credentials
Product: [Fedora] Fedora Reporter: Adam Tkac <atkac>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: ahecox, avettath, cbuissar, dkovalsk, fcdanilo, fche, k.georgiou, liblit, nalin, ovasik, pbatkowski, phan, pmatilai, yanwang, yersinia.spiros
Target Milestone: ---Flags: nalin: fedora_requires_release_note?
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Note that as of version 1.8, clients and servers (including KDCs) will default to not using keys for the ciphers "des-cbc-crc", "des-cbc-md4", "des-cbc-md5", "des-cbc-raw", "des3-cbc-raw", "des-hmac-sha1", and "arcfour-hmac-exp". As a result, by default, clients will not be able to authenticate to services which have keys of only these types. This may include the KDC's ticket granting service. Most services can have a new set of keys (including keys for use with stronger ciphers) added to their keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated, to a set which includes keys for use with stronger ciphers, using kadmin's "cpw -keepold" command. As a temporary workaround, systems which need to continue to use the weaker ciphers can be configured with "allow_weak_crypto = yes" in the [libdefaults] section of their respective /etc/krb5.conf files. As of this writing, NFS, when used with Kerberos authentication, only supports use of DES key types and ciphers. As a result, without the above workaround in place, NFS clients and servers will be unable to authenticate to each other -- attempts to mount NFS filesystems may fail, and the client's rpc.gssd and the server's rpc.svcgssd may log errors indicating that DES encryption types are not permitted.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 19:36:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Tkac 2010-03-16 10:41:08 UTC 
Description of problem:
I'm unable to obtain initial TGT via "kinit" utility. It always prints "kinit: KDC has no support for encryption type while getting initial credentials" error message.

Version-Release number of selected component (if applicable):
$ rpm -qa |grep krb5
krb5-workstation-1.8-3.fc14.x86_64
krb5-libs-1.8-3.fc14.x86_64
krb5-devel-1.8-3.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
1. modify /etc/krb5.conf appropriately
2. run "kinit"
  
Actual results:
$ kinit 
kinit: KDC has no support for encryption type while getting initial credentials

Expected results:
$ kinit 
Password for atkac:

Additional info:
krb5*-1.7.1-5.fc13 works fine in my case. Let me know if you need more information.
Comment 1 Nalin Dahyabhai 2010-03-16 16:48:15 UTC 
If setting "allow_weak_crypto = yes" in the [libdefaults] section of your /etc/krb5.conf works around this, then you and/or the ticket-granting service is lacking keys for ciphers other than DES, raw Triple-DES, or 40-bit RC4.

If you're missing the keys[1], then changing your password (even to the same value, if it's allowed by your realm's policies) should fix it.  If it doesn't, then you've encountered a problem with your KDC's configuration, and your KDC administrator needs to rekey the ticket-granting service key using kadmin and something along the lines of the "changepw -keepold -randkey krbtgt/$REALM" command.

If you're encountering this problem, then chances are that other services in your realm will need rekeying.

[1] Run "kadmin -p $principal -q 'getprinc $principal'", replacing $principal with your principal name.  If you see no keys other than DES, "exportable" RC4, or "Triple DES cbc mode raw", then you'll definitely need to change your keys by resetting your password.
Comment 3 Nalin Dahyabhai 2010-03-23 15:26:27 UTC 
Specifically, if after changing your password, you still don't have keys for the newer encryption types, then you've encountered a configuration problem on the KDC.
Comment 5 Nalin Dahyabhai 2010-03-25 18:23:20 UTC 
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
Note that as of version 1.8, clients and servers (including KDCs) will default to not using keys for the ciphers "des-cbc-crc", "des-cbc-md4", "des-cbc-md5", "des-cbc-raw", "des3-cbc-raw", "des-hmac-sha1", and "arcfour-hmac-exp".  As a result, by default, clients will not be able to authenticate to services which have keys of only these types.  This may include the KDC's ticket granting service.

Most services can have a new set of keys (including keys for use with stronger ciphers) added to their keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated, to a set which includes keys for use with stronger ciphers, using kadmin's "cpw -keepold" command.

As a temporary workaround, systems which need to continue to use the weaker ciphers can be configured with "allow_weak_crypto = yes" in the [libdefaults] section of their respective /etc/krb5.conf files.

As of this writing, NFS, when used with Kerberos authentication, only supports use of DES key types and ciphers.  As a result, without the above workaround in place, NFS clients and servers will be unable to authenticate to each other -- attempts to mount NFS filesystems may fail, and the client's rpc.gssd and the server's rpc.svcgssd may log errors indicating that DES encryption types are not permitted.
Comment 6 Bug Zapper 2010-07-30 11:05:23 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Fedora End Of Life 2012-08-16 19:36:39 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping