Bug 837829 - Mismatch of enctypes between principal and princpal
Summary: Mismatch of enctypes between principal and princpal
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 837855
TreeView+ depends on / blocked
 
Reported: 2012-07-05 13:34 UTC by Stef Walter
Modified: 2012-09-25 18:50 UTC (History)
4 users (show)

Fixed In Version: krb5-1.10.3-5.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 837855 (view as bug list)
Environment:
Last Closed: 2012-09-25 18:50:37 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stef Walter 2012-07-05 13:34:12 UTC
Samba 3 generates keytabs for a static list of enctypes (arcfour-hmac, des-cbc-md5, des-cbc-crc). When using krb5 < 1.11.0 to kinit using a keytab on a realm running AD 2008 (which supports AES), the kinit fails due to mismatched enctypes.

This is because the strongest supported enctype is chosen by default. In this case AES is supported by both the client and KDC. However then during preauth krb5 tries to load an AES key entry from the keytab, and it is not present.

This was discussed and patched in krb5 a while back:

http://mailman.mit.edu/pipermail/krbdev/2012-April/010768.html

https://github.com/krb5/krb5/commit/d1da158f47ea604bed4d5db5e98a976a9e54ccd0

https://github.com/krb5/krb5/commit/8230c4b7b7323cdef2a6c877deb710a15380f40f

Recently a number of corner cases exposed flaws in this patch to do with session keys. Slightly different corner cases exist with both MIT KDC and AD 2008 when DES is in use. Instead of requesting only the enctypes in the keytab, we request all the default enctypes, but sort those in the keytab first, indicating preference.

http://mailman.mit.edu/pipermail/krbdev/2012-July/010998.html

https://github.com/krb5/krb5/commit/61659df1036d1ad6d6891293f5949e720a2028f7

https://github.com/krb5/krb5/commit/7266becb5590fdf5b10463fe22bfd67650e24975

We may need to backport these patches to earlier packages of krb5, in order to facilitate use of samba3 generated keytabs with AD 2008 (for example in sssd).

In bug #811375 we tried to have sssd work around the problem, but are new unable to fix the corner cases above due to lack of API in krb5:

Comment 1 Nalin Dahyabhai 2012-09-25 18:50:37 UTC
Merged for 1.10.3-5, which should be in F18.  Marking CLOSED->NEXTRELEASE.


Note You need to log in before you can comment on or make changes to this bug.