Description of problem:
I'm unable to obtain initial TGT via "kinit" utility. It always prints "kinit: KDC has no support for encryption type while getting initial credentials" error message.
Version-Release number of selected component (if applicable):
$ rpm -qa |grep krb5
Steps to Reproduce:
1. modify /etc/krb5.conf appropriately
2. run "kinit"
kinit: KDC has no support for encryption type while getting initial credentials
Password for atkac@REDHAT.COM:
krb5*-1.7.1-5.fc13 works fine in my case. Let me know if you need more information.
If setting "allow_weak_crypto = yes" in the [libdefaults] section of your /etc/krb5.conf works around this, then you and/or the ticket-granting service is lacking keys for ciphers other than DES, raw Triple-DES, or 40-bit RC4.
If you're missing the keys, then changing your password (even to the same value, if it's allowed by your realm's policies) should fix it. If it doesn't, then you've encountered a problem with your KDC's configuration, and your KDC administrator needs to rekey the ticket-granting service key using kadmin and something along the lines of the "changepw -keepold -randkey krbtgt/$REALM" command.
If you're encountering this problem, then chances are that other services in your realm will need rekeying.
 Run "kadmin -p $principal -q 'getprinc $principal'", replacing $principal with your principal name. If you see no keys other than DES, "exportable" RC4, or "Triple DES cbc mode raw", then you'll definitely need to change your keys by resetting your password.
Specifically, if after changing your password, you still don't have keys for the newer encryption types, then you've encountered a configuration problem on the KDC.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Note that as of version 1.8, clients and servers (including KDCs) will default to not using keys for the ciphers "des-cbc-crc", "des-cbc-md4", "des-cbc-md5", "des-cbc-raw", "des3-cbc-raw", "des-hmac-sha1", and "arcfour-hmac-exp". As a result, by default, clients will not be able to authenticate to services which have keys of only these types. This may include the KDC's ticket granting service.
Most services can have a new set of keys (including keys for use with stronger ciphers) added to their keytabs and experience no downtime, and the ticket granting service's keys can likewise be updated, to a set which includes keys for use with stronger ciphers, using kadmin's "cpw -keepold" command.
As a temporary workaround, systems which need to continue to use the weaker ciphers can be configured with "allow_weak_crypto = yes" in the [libdefaults] section of their respective /etc/krb5.conf files.
As of this writing, NFS, when used with Kerberos authentication, only supports use of DES key types and ciphers. As a result, without the above workaround in place, NFS clients and servers will be unable to authenticate to each other -- attempts to mount NFS filesystems may fail, and the client's rpc.gssd and the server's rpc.svcgssd may log errors indicating that DES encryption types are not permitted.
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.
More information and reason for this action is here:
This message is a notice that Fedora 14 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 14. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.
(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 14 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here: