Skip Menu |

Download (untitled) / with headers
text/plain 1.9KiB
From Wed Nov 24 12:10:42 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA07271 for <bugs@RT-11.MIT.EDU>; Wed, 24 Nov 1999 12:10:41 -0500
Received: from by MIT.EDU with SMTP
id AA26583; Wed, 24 Nov 99 12:11:14 EST
Received: (from root@localhost)
by (8.8.8/8.8.5/25.0) id LAA29246;
Wed, 24 Nov 1999 11:10:39 -0600 (CST)
Message-Id: <>
Date: Wed, 24 Nov 1999 11:10:39 -0600 (CST)
To: krb5-bugs@MIT.EDU
Subject: krb5-kdc bug, support_desmd5 attribute on TGT princ
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 792
>Category: krb5-kdc
>Synopsis: undocumented support_desmd5 attribute on by default in 1.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 24 12:11:00 EST 1999
>Originator: Phil Tracy
Northwestern University IT
Show quoted text
>Release: krb5-1.1
HP/UX 10.20
System: HP-UX www-gate B.10.20 A 9000/770 2006557896 two-user license

Show quoted text
After building 1.1 and loading a dump of the 1.0.6 database,
I'm able to get TGTs, but get bad enctype errors when trying
to contact TGS. This is because the krbtgt/REALM@REALM
principal has be default the SUPPORT_DESMD5 attribute set,
and I'm not using MD5 anywhere. kadmin.local doesn't explicitly
document how to turn this off, but it's easy enough to guess.

Show quoted text
Start with 1.0.6 KDC. Configure clients & kdc with only des-cbc-crs
enctypes. Dump with kdb5_util. Load with 1.1 kdb5_util. Try to
obtain TGT, then service ticket.

Show quoted text
Use kadmin.local, modprinc -support_desmd5 krbtgt/REALM@REALM

Show quoted text
Fixed with the single-DES enctype mess in krb5-1.2.3.