[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Enctype Problem

To: "<Toby.Russell@vattenfall.de>" <Toby.Russell@vattenfall.de>
Subject: Re: Enctype Problem
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 24 Mar 2006 13:49:14 -0800
Cc: <heimdal-discuss@sics.se>
In-Reply-To: <FE6FAB44F4803D41B1C07ACAE4EA8DEF1D7493@SMMABOX6319.eur.corp.vattenfall.com>
References: <FE6FAB44F4803D41B1C07ACAE4EA8DEF1D7493@SMMABOX6319.eur.corp.vattenfall.com>
Sender: owner-heimdal-discuss@sics.se

Are you using the same kinit program that was built with the kdc, or  
some other, older version?

"which kinit"

On Mar 20, 2006, at 11:26 PM, <Toby.Russell@vattenfall.de>  
<Toby.Russell@vattenfall.de> wrote:

> Hello Heimdalers,
>
> Weird one. I can kinit from every machine in the realm execpt from the
> kdc, unless my Principal includes single DES enc-types. As soon as I
> have deleted all three single DESs from my principal, I get this:
>
> kinit: KDC has no support for encryption type while getting initial
> credentials
>
> However, I can get aes-256 Tickets for that very same principal, from
> that very same KDC, from other computers in the realm. From kdc.log:
>
> 2006-03-16T10:21:42 AS-REQ trussell@VATTENFALL.KRB.UNIX from
> IPv4:10.20.28.57 for krbtgt/VATTENFALL.KRB.UNIX@VATTENFALL.KRB.UNIX
> 2006-03-16T10:21:42 Using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2006-03-16T10:21:42 Requested flags: renewable_ok 2006-03-16T10:21:42
> sending 641 bytes to IPv4:10.20.28.57 2006-03-16T10:21:42 TGS-REQ
> trussell@VATTENFALL.KRB.UNIX from IPv4:10.20.28.57 for
> host/isuadm01.corp.vattenfall.de@VATTENFALL.KRB.UNIX
> 2006-03-16T10:21:42 sending 652 bytes to IPv4:10.20.28.57
>
> Output from klist -e from 10.20.28.57:
>
> Ticket cache: FILE:/tmp/krb5cc_2004
> Default principal: trussell@VATTENFALL.KRB.UNIX
>
> Valid starting     Expires            Service principal
> 03/16/06 10:23:39  03/17/06 10:23:39
> krbtgt/VATTENFALL.KRB.UNIX@VATTENFALL.KRB.UNIX
>         Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC,
> AES-256 CTS mode with 96-bit SHA-1 HMAC
>
> Output from "list -l trussell" from kadmin:
>
> Principal: trussell@VATTENFALL.KRB.UNIX
>     Principal expires: never
>      Password expires: never
>  Last password change: never
>       Max ticket life: 1 day
>    Max renewable life: 1 week
>                  Kvno: 0
>                 Mkvno: 0
> Last successful login: never
>     Last failed login: never
>    Failed login count: 0
>         Last modified: 2006-03-16 09:40:06 UTC
>              Modifier: tradmin/admin@VATTENFALL.KRB.UNIX
>            Attributes:
>              Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
>
> Is this wierd problem one of those ugly, unpredictable thingies that
> happen when one's realm is a mix of MIT and Heimdal (KDC is  
> Heimdal)? I
> am still in the test phase with this project, and started out with MIT
> until it became clear that OpenLDAP works only with Heimdal, hence the
> mix.
>
> Any help, tips, advice, greatly appreiciated.
>
> Cheers,
>
> Toby

References:
- Enctype Problem
  - From: <Toby.Russell@vattenfall.de>

Prev by Date: Re: PKINIT support in which version?
Next by Date: Re: selinux policy for heimdal and krb5cc cache
Prev by thread: Enctype Problem
Next by thread: From:Mrs.Anita Beck.
Index(es):
- Date
- Thread