[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

KDC has no support for encryption type, but only from KDC

Hello Heimdalers,

Weird one. I can kinit from every machine in the realm execpt from the kdc, unless my Principal includes single DES enc-types. As soon as I have deleted all three single DESs from my principal, I get this:

kinit: KDC has no support for encryption type while getting initial credentials

However, I can get aes-256 Tickets for that very same principal, from that very same KDC, from other computers in the realm. From kdc.log:

2006-03-16T10:21:42 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2006-03-16T10:21:42 Requested flags: renewable_ok 2006-03-16T10:21:42 sending 641 bytes to IPv4: 2006-03-16T10:21:42 TGS-REQ trussell@VATTENFALL.KRB.UNIX from IPv4: for host/isuadm01.corp.vattenfall.de@VATTENFALL.KRB.UNIX
2006-03-16T10:21:42 sending 652 bytes to IPv4:

Output from klist -e from that machine:

Ticket cache: FILE:/tmp/krb5cc_2004
Default principal: trussell@VATTENFALL.KRB.UNIX

Valid starting     Expires            Service principal
03/16/06 10:23:39  03/17/06 10:23:39  krbtgt/VATTENFALL.KRB.UNIX@VATTENFALL.KRB.UNIX
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC

Output from list -l trussell from kadmin:

Principal: trussell@VATTENFALL.KRB.UNIX
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 0
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2006-03-16 09:40:06 UTC
             Modifier: tradmin/admin@VATTENFALL.KRB.UNIX
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)

Is this wierd problem one of those ugly, unpredictable thingies that happen when one's realm is a mix of MIT and Heimdal? I am still in the test phase with this project, and started out with MIT until it became clear that OpenLDAP works only with Heimdal, hence the weird mix.

Any help, tips, advice, greatly appreiciated.



Mit freundlichen Grüßen
Toby Russell
Vattenfall Europe Information Services GmbH
Datacentre Systemservice         
Überseering 12
22297 Hamburg
Rohrdamm 7
13629 Berlin
fon +49 (0) 30 60005 - 4533
fax +49 (0) 30 60005 - 4549
E-Mail   mailto:toby.russell@vattenfall.de
Internet http://www.vattenfall.de/is