[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: krb5_verify_user requires single-DES host key in keytab?
On Sun, Jul 29, 2007 at 05:12:32PM +0200, Love H?rnquist ?strand wrote:
> Setting the following in krb5.conf on the kdc
> default_keys = des3-cbc-sha1:pw-salt
> and doing a
> ktutil get -p tls/admin get host/`hostname`
> doesn't make you happy ?
No, I get the same keys I've already got in the keytab.
> >sudo: kerb5: host service key not found: Unknown error -1765328203
> >Jul 28 23:56:46 hostname sudo: tls : kerb5: host service key
> >not found:
> >Unknown error -1765328203 ; TTY=tty00 ; PWD=/home/tls ; USER=root ;
> >sudo: kerb5: Cannot verify TGT! Possible attack!: Unknown error
> >Sorry, try again.
> >Is this expected? Can I patch krb5_verify_user to fix it? I can't
> >out what that error code actually is.
> /usr/heimdal/include/krb5_err.h: KRB5_KT_NOTFOUND = -1765328203,
> I think you database mismatch with your keytab.
Not so far as I can tell -- and I can use the host key to log in to the
host, too. The problem seems to be specifically with krb5_verify_user().
If you can't think of why, I can try rebuilding libkrb5 with debugging
symbols and trace into verify_user and see what it thinks is wrong --
but the problem only seems to occur on hosts that have only 3des keys,
which makes me suspicious.