| From: | "Arlene Berry" <aberry0364@hotmail.com> |
| To: | krb5-bugs@mit.edu |
| Subject: | des-cbc-md5 |
| Date: | Mon, 25 Sep 2006 23:06:51 +0000 |
For some time now I have noticed that if in krb5.conf you set
default_tkt_enctypes and default_tgs_enctypes to a single value of
des-cbc-md5, kinit fails with a KDC has no support for encryption type
message. Remove it or add another encryption type and kinit succeeds. I am
working with a third party kerberos/gssapi implementation, it receives the
same error, and there is no workaround for it.
In src/kdc/kdc_util.c there's a function dbentry_supports_etype which has a
hardcoded return value of 0 if the enctype parameter is des-cbc-md5. The
function which calls dbentry_supports_enctype is select_session_keytype also
in kdc_util.c and it then returns 0. The function which calls
select_session_keytype is process_as_req in src/kdc/do_as_req.c and it then
sets the KRB5KDC_ERR_ETYPE_NOSUPP error and creates the error message for
the client. I commented out the hardocded return 0 for des-cbc-md5 in
dbentry_supports_enctype, and then everything seemed to work.
The code takes this same path with both kinit and the third party kerberos
implementation. I happen to have my KDC configured for only the des-cbc-md5
enctype but I have seen the error message in the past when using multiple
enctypes.
default_tkt_enctypes and default_tgs_enctypes to a single value of
des-cbc-md5, kinit fails with a KDC has no support for encryption type
message. Remove it or add another encryption type and kinit succeeds. I am
working with a third party kerberos/gssapi implementation, it receives the
same error, and there is no workaround for it.
In src/kdc/kdc_util.c there's a function dbentry_supports_etype which has a
hardcoded return value of 0 if the enctype parameter is des-cbc-md5. The
function which calls dbentry_supports_enctype is select_session_keytype also
in kdc_util.c and it then returns 0. The function which calls
select_session_keytype is process_as_req in src/kdc/do_as_req.c and it then
sets the KRB5KDC_ERR_ETYPE_NOSUPP error and creates the error message for
the client. I commented out the hardocded return 0 for des-cbc-md5 in
dbentry_supports_enctype, and then everything seemed to work.
The code takes this same path with both kinit and the third party kerberos
implementation. I happen to have my KDC configured for only the des-cbc-md5
enctype but I have seen the error message in the past when using multiple
enctypes.
Show quoted text
_________________________________________________________________
Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip
Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip