Skip Menu |

From: "Arlene Berry" <>
Subject: des-cbc-md5
Date: Mon, 25 Sep 2006 23:06:51 +0000
Download (untitled) / with headers
text/plain 1.3KiB
For some time now I have noticed that if in krb5.conf you set
default_tkt_enctypes and default_tgs_enctypes to a single value of
des-cbc-md5, kinit fails with a KDC has no support for encryption type
message. Remove it or add another encryption type and kinit succeeds. I am
working with a third party kerberos/gssapi implementation, it receives the
same error, and there is no workaround for it.

In src/kdc/kdc_util.c there's a function dbentry_supports_etype which has a
hardcoded return value of 0 if the enctype parameter is des-cbc-md5. The
function which calls dbentry_supports_enctype is select_session_keytype also
in kdc_util.c and it then returns 0. The function which calls
select_session_keytype is process_as_req in src/kdc/do_as_req.c and it then
sets the KRB5KDC_ERR_ETYPE_NOSUPP error and creates the error message for
the client. I commented out the hardocded return 0 for des-cbc-md5 in
dbentry_supports_enctype, and then everything seemed to work.

The code takes this same path with both kinit and the third party kerberos
implementation. I happen to have my KDC configured for only the des-cbc-md5
enctype but I have seen the error message in the past when using multiple

Show quoted text
Get today's hot entertainment gossip