Re: heimdal 0.6.5 kinit from keytab/srvtab: oddness

[Love Hörnquist Åstrand <lha@kth.se>]

"Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> writes:

> 2@bajinaji000:511 Z# od -c lsf.srvtab
> 0000000   l   s   f   c   l   i   e   n   t  \0  \0   E   C   E   .   C
> 0000020   M   U   .   E   D   U  \0 001   � \v  \b   O   C 001      @
> 0000040   l   s   f   c   l   i   e   n   t  \0  \0   E   C   E   .   C
> 0000060   M   U   .   E   D   U  \0 001   �  �  �   224
> 0000100
>
> I count only two keys there; where'd ktutil get six?

Ktutil helpfully expands all des encryption type for you from the one
kerberos 4 key.

>
> The keytab is even weirder:  after examining the above "get" lists, we
> concluded that it might be a good idea to remove all the krb4 keys (the
> one difference that stands out to me is that the working principal has
> no krb4 keys with pw-salt, only with afs3-salt; but you can't delete
> keys by salt type).  Which led to:
>
> 2@bajinaji000:512 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-md5
> 2@bajinaji000:513 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-md4
> 2@bajinaji000:514 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-crc
> 2@bajinaji000:515 Z# kinit --use-keytab --keytab=/tmp/lsf.keytab -n lsfclient
> kinit: krb5_get_init_creds: failed to find lsfclient@ECE.CMU.EDU in keytab /tmp/lsf.keytab

For this it might be looking for another encryption type then that exists
in the keytab.

BTW 0.6 doesn't have any AES code (that is turned on).

Love

PGP signature