Bug 57847 - Incompatible encryption types in config files
Incompatible encryption types in config files
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Depends On:
  Show dependency treegraph
Reported: 2001-12-27 18:58 EST by Jason Heiss
Modified: 2007-04-18 12:38 EDT (History)
5 users (show)

See Also:
Fixed In Version: 1.4.2-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-31 16:35:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason Heiss 2001-12-27 18:58:05 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4)
Gecko/20011126 Netscape6/6.2.1

Description of problem:
The kdc.conf config file from the krb5-server RPM does not specify
des3-hmac-sha1 as a supported encryption type, but that seems to be one of
the two default encryption types used by clients (the other being
des-cbc-crc) if not specifically configured in krb5.conf.

The results in decryption failures when setting up principles for
cron jobs, database replication to slave KDCs, etc.

In addition, the kdc.conf supplied with RH specifies des-cbc-crc
as the master_key_type while the stock kdc.conf from MIT for Kerberos 1.2.2
specifies des3-hmac-sha1.

Changing master_key_type and supported_enctypes to the values from a stock
MIT kdc.conf fixed all of the issues I was having (and I got a stronger
encryption type for the master key while I was at it).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Create master KDC by changing EXAMPLE.COM and example.com in krb5.conf
and kdc.conf, then run kdb5_util create -s
2.  Create host principles for master and slave KDCs and setup keytabs
3.  Add entry for master KDC host principal to kpropd.acl on slave KDC
4.  Run kdb5_util dump to dump database to a file
5.  Attempt to run kprop and receive encryption error

Expected Results:  kprop should have been able to decrypt whatever key it
is using and transfer database to slave KDC

Additional info:

The values from a stock MIT kdc.conf work great, I'd recommend them unless
there is a particular reason the RH kdc.conf is setup the way it is.
Comment 1 Chris Ricker 2002-06-11 19:04:02 EDT
I'm seeing this as well.  This bug is still present in RH 7.3
Comment 2 Steven Pritchard 2004-07-18 14:01:15 EDT
On FC2, master_key_type is set to des-cbc-crc, and supported_enctypes  
includes a long list.  Other than defaulting to a perhaps not 
terribly secure encryption type, it looks like this bug is fixed. 
Comment 3 Dax Kelson 2004-09-21 01:47:53 EDT
It would be nice if the master_key_type was changed to the default
used by both MIT and Heimdal, the one in the original (shockingly
old!) bug report -- des3-hmac-sha1.

Note You need to log in before you can comment on or make changes to this bug.