[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
krb5_verify_user requires single-DES host key in keytab?
I'm using the Heimdal integrated into NetBSD 4.0_BETA2 (I believe this
is from the 0.7 branch of Heimdal).
I have no principals in my database with any single-DES keys, though
kadmin and ktutil don't exactly make this easy. The keytabs on my hosts
have only 3des keys for host/host.domain@REALM.
When I try to use an application like sudo 1.6.9 that calls krb5_verify_user
to check a user's password, it gets the TGT for the user, but then fails
to find the service key for the host in the keytab, with an error like
sudo: kerb5: host service key not found: Unknown error -1765328203
Jul 28 23:56:46 hostname sudo: tls : kerb5: host service key not found:
Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error -1765328203
Sorry, try again.
Is this expected? Can I patch krb5_verify_user to fix it? I can't figure
out what that error code actually is.
Thor Lancelot Simon email@example.com
"The inconsistency is startling, though admittedly, if consistency is to
be abandoned or transcended, there is no problem." - Noam Chomsky