Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1974

From tracy@www-gate.it-services.nwu.edu  Wed Nov 24 12:10:42 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA07271 for <bugs@RT-11.MIT.EDU>; Wed, 24 Nov 1999 12:10:41 -0500
Received: from www-gate.it-services.nwu.edu by MIT.EDU with SMTP
	id AA26583; Wed, 24 Nov 99 12:11:14 EST
Received: (from root@localhost)
	by www-gate.it-services.nwu.edu (8.8.8/8.8.5/25.0) id LAA29246;
	Wed, 24 Nov 1999 11:10:39 -0600 (CST)
Message-Id: <199911241710.LAA29246@www-gate.it-services.nwu.edu>
Date: Wed, 24 Nov 1999 11:10:39 -0600 (CST)
From: ptracy@nwu.edu
Reply-To: ptracy@nwu.edu
To: krb5-bugs@MIT.EDU
Subject: krb5-kdc bug, support_desmd5 attribute on TGT princ
X-Send-Pr-Version: 3.99

>Number:         792
>Category:       krb5-kdc
>Synopsis:       undocumented support_desmd5 attribute on by default in 1.1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Nov 24 12:11:00 EST 1999
>Last-Modified:
>Originator:     Phil Tracy
>Organization:
Northwestern University IT
>Release:        krb5-1.1
>Environment:
HP/UX 10.20
System: HP-UX www-gate B.10.20 A 9000/770 2006557896 two-user license


>Description:
	After building 1.1 and loading a dump of the 1.0.6 database,
	I'm able to get TGTs, but get bad enctype errors when trying
	to contact TGS.  This is because the krbtgt/REALM@REALM 
	principal has be default the SUPPORT_DESMD5 attribute set,
	and I'm not using MD5 anywhere.  kadmin.local doesn't explicitly
	document how to turn this off, but it's easy enough to guess.

>How-To-Repeat:
	Start with 1.0.6 KDC.  Configure clients & kdc with only des-cbc-crs
	enctypes.  Dump with kdb5_util.  Load with 1.1 kdb5_util.  Try to
	obtain TGT, then service ticket.

>Fix:
	Use kadmin.local, modprinc -support_desmd5 krbtgt/REALM@REALM

>Audit-Trail:
>Unformatted: