From root@ca.lcs.mit.edu Sun Oct 31 16:09:45 1999 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA11695 for ; Sun, 31 Oct 1999 16:09:45 -0500 Received: from khavrinen.lcs.mit.edu by MIT.EDU with SMTP id AA13779; Sun, 31 Oct 99 16:10:02 EST Received: from ca.lcs.mit.edu (ca.lcs.mit.edu [18.24.10.177]) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) with ESMTP id QAA39158 for ; Sun, 31 Oct 1999 16:09:42 -0500 (EST) (envelope-from root@ca.lcs.mit.edu) Received: (from root@localhost) by ca.lcs.mit.edu (8.9.3/8.9.3) id QAA00522; Sun, 31 Oct 1999 16:09:42 -0500 (EST) (envelope-from root@ca.lcs.mit.edu) Message-Id: <199910312109.QAA00522@ca.lcs.mit.edu> Date: Sun, 31 Oct 1999 16:09:42 -0500 (EST) From: wollman@lcs.mit.edu Reply-To: wollman@lcs.mit.edu To: krb5-bugs@MIT.EDU Subject: krb5_util load_v4 creates bad krbtgt principal X-Send-Pr-Version: 3.99 >Number: 782 >Category: krb5-kdc >Synopsis: krb5_util load_v4 creates bad krbtgt principal >Confidential: no >Severity: serious >Priority: low >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Sun Oct 31 16:10:01 EST 1999 >Last-Modified: >Originator: Garrett A. Wollman >Organization: MIT Laboratory for Computer Science >Release: krb5-1.1 >Environment: System: FreeBSD ca.lcs.mit.edu 4.0-CURRENT FreeBSD 4.0-CURRENT #4: Wed Jul 14 16:57:46 EDT 1999 root@ca.lcs.mit.edu:/usr/src/sys/compile/CA i386 >Description: I just moved over our KDC from v4 to v5. All of the v4-compatibility features appear to work fine, but when I attempted to use a v5 application (e.g., ssh), I found that the KDC would not accept its own TGTs, complaining of a `bad encrpytion type'. Groveling around in the source for a few minutes did not help explain the problem, but it did find me a workaround. >How-To-Repeat: kdc# kdb5_util create kdc# kdb5_util destroy kdc# kdb5_util load_v4 database-dump-from-v4-kdc host1$ ssh -v -o 'KerberosAuthentication=YES' host2 host1: Kerberos V5: failure on credentials(Generic error (see e-text)). kdc# tail /var/log/auth.log krb5kdc[372]: TGS_REQ 18.24.4.193(750): PROCESS_TGS: authtime 0, for krbtgt/LCS.MIT.EDU@LCS.MIT.EDU, Bad encryption type >Fix: work-around: kadmin: modprinc -support_desmd5 krbtgt/LCS.MIT.EDU@LCS.MIT.EDU >Audit-Trail: >Unformatted: