[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Enctype Problem

Hello Heimdalers,

Weird one. I can kinit from every machine in the realm execpt from the
kdc, unless my Principal includes single DES enc-types. As soon as I
have deleted all three single DESs from my principal, I get this:

kinit: KDC has no support for encryption type while getting initial

However, I can get aes-256 Tickets for that very same principal, from
that very same KDC, from other computers in the realm. From kdc.log:

2006-03-16T10:21:42 AS-REQ trussell@VATTENFALL.KRB.UNIX from
2006-03-16T10:21:42 Using
2006-03-16T10:21:42 Requested flags: renewable_ok 2006-03-16T10:21:42
sending 641 bytes to IPv4: 2006-03-16T10:21:42 TGS-REQ
trussell@VATTENFALL.KRB.UNIX from IPv4: for
2006-03-16T10:21:42 sending 652 bytes to IPv4:

Output from klist -e from

Ticket cache: FILE:/tmp/krb5cc_2004
Default principal: trussell@VATTENFALL.KRB.UNIX

Valid starting     Expires            Service principal
03/16/06 10:23:39  03/17/06 10:23:39
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC,
AES-256 CTS mode with 96-bit SHA-1 HMAC

Output from "list -l trussell" from kadmin:

Principal: trussell@VATTENFALL.KRB.UNIX
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 0
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2006-03-16 09:40:06 UTC
             Modifier: tradmin/admin@VATTENFALL.KRB.UNIX
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)

Is this wierd problem one of those ugly, unpredictable thingies that
happen when one's realm is a mix of MIT and Heimdal (KDC is Heimdal)? I
am still in the test phase with this project, and started out with MIT
until it became clear that OpenLDAP works only with Heimdal, hence the

Any help, tips, advice, greatly appreiciated.