[email@example.com - Thu Nov 20 04:04:03 2014]:
> Hello, it seems we are getting closer to the origin of the loop!
> I.e. it looks like kadmin.local goes mad while comparing strings or looking
> for encryption type "arcfour-hmac".
We did change some code relating to how the keysalt list is processed, so that's likely the culprit
> Thus the issue is turning around "arcfour-hmac". My current list of
> encryption types includes this
> family, and I have to keep them there as the principals already possess the
> corresponding keys:
This is not actually true; the "supported_enctypes" variable is rather misnamed -- it controls the
generation of new keys on the KDC (e.g., from user-supplied passwords) by specifying which
enctypes will be generated, but has no effect on the operation of existing keys. (There is a
separate variable, "permitted_enctypes", which does have that effect.)
> "arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm
The arcfour family of enctypes do not actually use a salt, ever, so there is no difference between
the :normal, :norealm, and :onlyrealm forms. I am not yet sure if this duplication is causing the
spinning, but it is certainly unnecessary in your configuration.
> (If I recall it correctly, "arcfour-hmac" is used on Windows clients, and
> we have some
> Win machines that get the authentication from K5MIT and not from AD).
Windows XP and Windows Server 2003 only support the arcfour and single-DES encryption types.
Newer versions of windows also support the more modern AES encryption types (though perhaps
Windows Server 2008 would need some manual configuration to start using them; this is not
entirely clear to me). If your windows clients are, e.g., Windows 7 and above, they can handle
AES enctypes just fine. You will probably need to go and rekey some things to make a full
transition, but the mere presence of such windows clients does not require you to keep arcfour
around. The arcfour enctypes are likely to be deprecated in the next year or two.
> What could be done about it?
I will fire up a test KDC with the problematic supported_enctypes list and look into a fix.
> Cheers - Andrei.
> PS I have mentioned that the Builds directory of my yesterday's tar file was
> in fact containing two times 1.12.2 builds and not 1.12.2 and 1.13. I have
> hence replaced the tar.file with the one correcting the correct Builds
> sorry for this mistake. You may again grab it at:
Thanks, but I think just the bit about supported_enctypes will be enough for now.
Thanks for following up on this issue.