Bug 151175 - default_tkt_enctypes = des-cbc-crc causes kinit to fail
default_tkt_enctypes = des-cbc-crc causes kinit to fail
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5 (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-15 12:40 EST by Frank Swasey
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-04 14:34:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank Swasey 2005-03-15 12:40:49 EST
Description of problem:

Copied the working /etc/krb5.conf file from an RHEL v3.4 system to the new RHEL
4.0 system.  This /etc/krb5.conf file is used to connect with our DCE security
server as the KDC.  Discovered that kinit fails with the error message:

kinit(v5): No supported encryption types (config file error?) while getting
initial credentials

Removing the "default_tkt_enctypes = des-cbc-crc" from the [libdefaults] section
allows the kinit to work, but all the keys that have been saved in that enctype
in the /etc/krb5.keytab file will no longer work.  Replacing those keys is not
possible.

Version-Release number of selected component (if applicable):

krb5-workstation-1.3.4-10

How reproducible:

edit /etc/krb5.conf to place "default_tkt_enctypes = des-cbc-crc" in the
[libdefaults] section.
attempt to use kinit



Steps to Reproduce:
1. edit /etc/krb5.conf to place "default_tkt_enctypes = des-cbc-crc" in the
[libdefaults] section.
2. kinit -V (userid of choice)
3.
  
Actual results:

[root@carcajou ~]# kinit -V fcs
kinit(v5): No supported encryption types (config file error?) while getting
initial credentials
[root@carcajou ~]#

Expected results:

[root@carcajou ~]# kinit -V fcs
Password for fcs@uvm.edu:
Authenticated to Kerberos v5
[root@carcajou ~]#

Additional info:
Comment 1 Frank Swasey 2005-04-04 14:34:25 EDT
After much research, the solution to the problem (because the KDC is really a
DCE security server) is to add the following two lines to the [libdefaults] section:

dns_lookup_kdc = false
noaddresses = false

The first is because we have kdc information for a realm of the same name in DNS
as we are converting from DCE to MIT Kerberos -- but it doesn't have the same
host entries.

The second is because DCE does not allow requests with 0.0.0.0 as the address of
the client.

Note You need to log in before you can comment on or make changes to this bug.