Bug 837829 - Mismatch of enctypes between principal and princpal
Mismatch of enctypes between principal and princpal
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
Depends On:
Blocks: 837855
  Show dependency treegraph
Reported: 2012-07-05 09:34 EDT by Stef Walter
Modified: 2012-09-25 14:50 EDT (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.10.3-5.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 837855 (view as bug list)
Last Closed: 2012-09-25 14:50:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2012-07-05 09:34:12 EDT
Samba 3 generates keytabs for a static list of enctypes (arcfour-hmac, des-cbc-md5, des-cbc-crc). When using krb5 < 1.11.0 to kinit using a keytab on a realm running AD 2008 (which supports AES), the kinit fails due to mismatched enctypes.

This is because the strongest supported enctype is chosen by default. In this case AES is supported by both the client and KDC. However then during preauth krb5 tries to load an AES key entry from the keytab, and it is not present.

This was discussed and patched in krb5 a while back:




Recently a number of corner cases exposed flaws in this patch to do with session keys. Slightly different corner cases exist with both MIT KDC and AD 2008 when DES is in use. Instead of requesting only the enctypes in the keytab, we request all the default enctypes, but sort those in the keytab first, indicating preference.




We may need to backport these patches to earlier packages of krb5, in order to facilitate use of samba3 generated keytabs with AD 2008 (for example in sssd).

In bug #811375 we tried to have sssd work around the problem, but are new unable to fix the corner cases above due to lack of API in krb5:
Comment 1 Nalin Dahyabhai 2012-09-25 14:50:37 EDT
Merged for 1.10.3-5, which should be in F18.  Marking CLOSED->NEXTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.