From tracy@www-gate.it-services.nwu.edu Wed Nov 24 12:10:42 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA07271 for <bugs@RT-11.MIT.EDU>; Wed, 24 Nov 1999 12:10:41 -0500
Received: from www-gate.it-services.nwu.edu by MIT.EDU with SMTP
id AA26583; Wed, 24 Nov 99 12:11:14 EST
Received: (from root@localhost)
by www-gate.it-services.nwu.edu (8.8.8/8.8.5/25.0) id LAA29246;
Wed, 24 Nov 1999 11:10:39 -0600 (CST)
Message-Id: <199911241710.LAA29246@www-gate.it-services.nwu.edu>
Date: Wed, 24 Nov 1999 11:10:39 -0600 (CST)
From: ptracy@nwu.edu
Reply-To: ptracy@nwu.edu
To: krb5-bugs@MIT.EDU
Subject: krb5-kdc bug, support_desmd5 attribute on TGT princ
X-Send-Pr-Version: 3.99
System: HP-UX www-gate B.10.20 A 9000/770 2006557896 two-user license
I'm able to get TGTs, but get bad enctype errors when trying
to contact TGS. This is because the krbtgt/REALM@REALM
principal has be default the SUPPORT_DESMD5 attribute set,
and I'm not using MD5 anywhere. kadmin.local doesn't explicitly
document how to turn this off, but it's easy enough to guess.
enctypes. Dump with kdb5_util. Load with 1.1 kdb5_util. Try to
obtain TGT, then service ticket.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA07271 for <bugs@RT-11.MIT.EDU>; Wed, 24 Nov 1999 12:10:41 -0500
Received: from www-gate.it-services.nwu.edu by MIT.EDU with SMTP
id AA26583; Wed, 24 Nov 99 12:11:14 EST
Received: (from root@localhost)
by www-gate.it-services.nwu.edu (8.8.8/8.8.5/25.0) id LAA29246;
Wed, 24 Nov 1999 11:10:39 -0600 (CST)
Message-Id: <199911241710.LAA29246@www-gate.it-services.nwu.edu>
Date: Wed, 24 Nov 1999 11:10:39 -0600 (CST)
From: ptracy@nwu.edu
Reply-To: ptracy@nwu.edu
To: krb5-bugs@MIT.EDU
Subject: krb5-kdc bug, support_desmd5 attribute on TGT princ
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 792
>Category: krb5-kdc
>Synopsis: undocumented support_desmd5 attribute on by default in 1.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 24 12:11:00 EST 1999
>Last-Modified:
>Originator: Phil Tracy
>Organization:
Northwestern University IT>Category: krb5-kdc
>Synopsis: undocumented support_desmd5 attribute on by default in 1.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 24 12:11:00 EST 1999
>Last-Modified:
>Originator: Phil Tracy
>Organization:
Show quoted text
>Release: krb5-1.1
>Environment:
HP/UX 10.20>Environment:
System: HP-UX www-gate B.10.20 A 9000/770 2006557896 two-user license
Show quoted text
>Description:
After building 1.1 and loading a dump of the 1.0.6 database,I'm able to get TGTs, but get bad enctype errors when trying
to contact TGS. This is because the krbtgt/REALM@REALM
principal has be default the SUPPORT_DESMD5 attribute set,
and I'm not using MD5 anywhere. kadmin.local doesn't explicitly
document how to turn this off, but it's easy enough to guess.
Show quoted text
>How-To-Repeat:
Start with 1.0.6 KDC. Configure clients & kdc with only des-cbc-crsenctypes. Dump with kdb5_util. Load with 1.1 kdb5_util. Try to
obtain TGT, then service ticket.
Show quoted text
>Fix:
Use kadmin.local, modprinc -support_desmd5 krbtgt/REALM@REALMShow quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: