Bug 837829 - Mismatch of enctypes between principal and princpal
Mismatch of enctypes between principal and princpal
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 837855
  Show dependency treegraph
 
Reported: 2012-07-05 09:34 EDT by Stef Walter
Modified: 2012-09-25 14:50 EDT (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.10.3-5.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 837855 (view as bug list)
Environment:
Last Closed: 2012-09-25 14:50:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2012-07-05 09:34:12 EDT
Samba 3 generates keytabs for a static list of enctypes (arcfour-hmac, des-cbc-md5, des-cbc-crc). When using krb5 < 1.11.0 to kinit using a keytab on a realm running AD 2008 (which supports AES), the kinit fails due to mismatched enctypes.

This is because the strongest supported enctype is chosen by default. In this case AES is supported by both the client and KDC. However then during preauth krb5 tries to load an AES key entry from the keytab, and it is not present.

This was discussed and patched in krb5 a while back:

http://mailman.mit.edu/pipermail/krbdev/2012-April/010768.html

https://github.com/krb5/krb5/commit/d1da158f47ea604bed4d5db5e98a976a9e54ccd0

https://github.com/krb5/krb5/commit/8230c4b7b7323cdef2a6c877deb710a15380f40f

Recently a number of corner cases exposed flaws in this patch to do with session keys. Slightly different corner cases exist with both MIT KDC and AD 2008 when DES is in use. Instead of requesting only the enctypes in the keytab, we request all the default enctypes, but sort those in the keytab first, indicating preference.

http://mailman.mit.edu/pipermail/krbdev/2012-July/010998.html

https://github.com/krb5/krb5/commit/61659df1036d1ad6d6891293f5949e720a2028f7

https://github.com/krb5/krb5/commit/7266becb5590fdf5b10463fe22bfd67650e24975

We may need to backport these patches to earlier packages of krb5, in order to facilitate use of samba3 generated keytabs with AD 2008 (for example in sssd).

In bug #811375 we tried to have sssd work around the problem, but are new unable to fix the corner cases above due to lack of API in krb5:
Comment 1 Nalin Dahyabhai 2012-09-25 14:50:37 EDT
Merged for 1.10.3-5, which should be in F18.  Marking CLOSED->NEXTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.