[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_verify_user requires single-DES host key in keytab?

To: heimdal-discuss@sics.se, Thor Lancelot Simon <tls@panix.com>
Subject: Re: krb5_verify_user requires single-DES host key in keytab?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Sun, 29 Jul 2007 17:12:32 +0200
In-Reply-To: <20070728235913.GA23591@panix.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20070728235913.GA23591@panix.com>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>


29 jul 2007 kl. 01.59 skrev Thor Lancelot Simon:

> I'm using the Heimdal integrated into NetBSD 4.0_BETA2 (I believe this
> is from the 0.7 branch of Heimdal).
>
> I have no principals in my database with any single-DES keys, though
> kadmin and ktutil don't exactly make this easy.  The keytabs on my  
> hosts
> have only 3des keys for host/host.domain@REALM.

Setting the following in krb5.conf on the kdc

[kadmin]
	default_keys = des3-cbc-sha1:pw-salt

and doing a

	ktutil get -p tls/admin get host/`hostname`

doesn't make you happy ?

> When I try to use an application like sudo 1.6.9 that calls  
> krb5_verify_user
> to check a user's password, it gets the TGT for the user, but then  
> fails
> to find the service key for the host in the keytab, with an error like
> this:
>
> sudo: kerb5: host service key not found: Unknown error -1765328203
> Jul 28 23:56:46 hostname sudo:      tls : kerb5: host service key  
> not found:
> Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
> COMMAND=/bin/sh
> sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error  
> -1765328203
> Sorry, try again.
>
> Is this expected?  Can I patch krb5_verify_user to fix it?  I can't  
> figure
> out what that error code actually is.

/usr/heimdal/include/krb5_err.h:        KRB5_KT_NOTFOUND = -1765328203,

I think you database mismatch with your keytab.

Love

Follow-Ups:
- Re: krb5_verify_user requires single-DES host key in keytab?
  - From: Thor Lancelot Simon <tls@panix.com>

References:
- krb5_verify_user requires single-DES host key in keytab?
  - From: Thor Lancelot Simon <tls@panix.com>

Prev by Date: krb5_verify_user requires single-DES host key in keytab?
Next by Date: Force Heimdal to use it's own libcom_err / Building .a's with -fPICfor x86_64
Prev by thread: krb5_verify_user requires single-DES host key in keytab?
Next by thread: Re: krb5_verify_user requires single-DES host key in keytab?
Index(es):
- Date
- Thread