[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_verify_user requires single-DES host key in keytab?

29 jul 2007 kl. 01.59 skrev Thor Lancelot Simon:

> I'm using the Heimdal integrated into NetBSD 4.0_BETA2 (I believe this
> is from the 0.7 branch of Heimdal).
> I have no principals in my database with any single-DES keys, though
> kadmin and ktutil don't exactly make this easy.  The keytabs on my  
> hosts
> have only 3des keys for host/host.domain@REALM.

Setting the following in krb5.conf on the kdc

	default_keys = des3-cbc-sha1:pw-salt

and doing a

	ktutil get -p tls/admin get host/`hostname`

doesn't make you happy ?

> When I try to use an application like sudo 1.6.9 that calls  
> krb5_verify_user
> to check a user's password, it gets the TGT for the user, but then  
> fails
> to find the service key for the host in the keytab, with an error like
> this:
> sudo: kerb5: host service key not found: Unknown error -1765328203
> Jul 28 23:56:46 hostname sudo:      tls : kerb5: host service key  
> not found:
> Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
> COMMAND=/bin/sh
> sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error  
> -1765328203
> Sorry, try again.
> Is this expected?  Can I patch krb5_verify_user to fix it?  I can't  
> figure
> out what that error code actually is.

/usr/heimdal/include/krb5_err.h:        KRB5_KT_NOTFOUND = -1765328203,

I think you database mismatch with your keytab.