[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 0.6.5 kinit from keytab/srvtab: oddness

"Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> writes:

> 2@bajinaji000:511 Z# od -c lsf.srvtab
> 0000000   l   s   f   c   l   i   e   n   t  \0  \0   E   C   E   .   C
> 0000020   M   U   .   E   D   U  \0 001   ´┐Ż \v  \b   O   C 001      @
> 0000040   l   s   f   c   l   i   e   n   t  \0  \0   E   C   E   .   C
> 0000060   M   U   .   E   D   U  \0 001   ´┐Ż  ´┐Ż  ´┐Ż   224
> 0000100
> I count only two keys there; where'd ktutil get six?

Ktutil helpfully expands all des encryption type for you from the one
kerberos 4 key.

> The keytab is even weirder:  after examining the above "get" lists, we
> concluded that it might be a good idea to remove all the krb4 keys (the
> one difference that stands out to me is that the working principal has
> no krb4 keys with pw-salt, only with afs3-salt; but you can't delete
> keys by salt type).  Which led to:
> 2@bajinaji000:512 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-md5
> 2@bajinaji000:513 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-md4
> 2@bajinaji000:514 Z# ktutil -k lsf.keytab remove -p lsfclient -e des-cbc-crc
> 2@bajinaji000:515 Z# kinit --use-keytab --keytab=/tmp/lsf.keytab -n lsfclient
> kinit: krb5_get_init_creds: failed to find lsfclient@ECE.CMU.EDU in keytab /tmp/lsf.keytab

For this it might be looking for another encryption type then that exists
in the keytab.

BTW 0.6 doesn't have any AES code (that is turned on).


PGP signature