Re: KDC refuses to give des-cbc-crc keys

[Love Hörnquist Åstrand <lha@kth.se>]

3 okt 2006 kl. 11.46 skrev Juha Jäykkä:

While testing NFSv4 gss/krb5 mounts, I ran into the following problem:

KDC won't give rpc.gssd des-cbc-crc keys at all. I cannot understand why.

The principal has the keytype, the keytab has the keytype, the AS-REQ

lists enctypes 1,2,3,16,17,18,23 (I wiresharked that part), but the KDC

responds with just type 18. Linux nfsv4 for some strange reason, insists

on des-cbc-crc enctype.

How do I persuade the KDC to give the client all the enctypes it asks

for or at least both aes and des? Setting default_tgs_enctypes,

default_tkt_enctypes et al in krb5.conf does not help.

The kdc only hands out one ticket, and it chooses the first enctype

that the service thinks it support (from the database) with the

first keytype that the client support.

If the service only supports des-cbc-crc, remove all other enctypes from the entry.

You can force the client to only annonce it support des-cbc-crc by

using kgetcred -e des-cbc-crc service/principal@REALM.

Love