Bug#574774: heimdal-kdc: KDC stops granting tickets

Richard A Nelson Sat, 20 Mar 2010 15:00:57 -0700

Package: heimdal-kdc
Version: 1.4.0~git20100221.dfsg.2-2
Severity: important


I was about to mark this critical, when I found it only affects one of
my realms - the other seems to work fine ?!?

I have two realm, with similar setups:
        *) 32 and 64 bit KDC and clients
        *) Data stored in LDAP
        *) libssl0.9.8m-2
        *) The same krb5.conf (sans default realm)
        *) Needing weak auth (NFS and Windows XP):
                     Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
                                 des-cbc-crc(pw-salt), 
aes256-cts-hmac-sha1-96(pw-salt),
                                 des3-cbc-sha1(pw-salt), 
arcfour-hmac-md5(pw-salt)

On this realm, the 64 bit server answers all AS-REQ requests with:
        krb5_crypto_init failed: encryption key has bad length
The 32bit server says:
        krb5_crypto_init failed: encryption type 168010328 not supported

So, on the 32bit system I downgraded KDC to testing and wound with
        krb5_crypto_init failed: encryption key has bad length

Downgrading KDC to stable and I'm back to bad enc type :(
so it is more likely *one* of the libraries, but I no clue which :(

The kdc logs look kosher (sans the error):
2010-03-20T21:09:48 AS-REQ authtime: 2010-03-20T21:09:48 starttime: unset 
endtime: 2010-09-16T21:09:48 renew till: 2010-04-19T21:09:48
2010-03-20T21:09:48 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using 
des3-cbc-md5/aes256-cts-hmac-sha1-96
2010-03-20T21:09:48 Requested flags: renewable, forwardable
2010-03-20T21:09:48 krb5_crypto_init failed: encryption key has bad length
2010-03-20T21:09:48 sending 162 bytes to IPv4:127.0.0.1

2010-03-20T21:41:10 AS-REQ authtime: 2010-03-20T21:41:10 starttime: unset 
endtime: 2010-04-03T21:41:10 renew till: 2010-04-19T21:41:10
2010-03-20T21:41:10 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using enctypes 140692640/18
2010-03-20T21:41:10 Requested flags: renewable, forwardable
2010-03-20T21:41:10 krb5_crypto_init failed: encryption type 140692640 not 
supported
2010-03-20T21:41:10 sending 172 bytes to IPv4:127.0.0.1

Whereas the working realm has:
2010-03-20T21:15:25 AS-REQ authtime: 2010-03-20T21:15:25 starttime: unset 
endtime: 2010-04-03T21:15:25 renew till: 2010-06-27T21:15:25
2010-03-20T21:15:25 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2010-03-20T21:15:25 Requested flags: renewable, proxiable
2010-03-20T21:15:25 sending 732 bytes to IPv4:127.0.0.1

So, something is causing bad negotiation on some (but not all) realms :(

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), 
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages heimdal-kdc depends on:
ii  debconf [debc 1.5.28                     Debian configuration management sy
ii  heimdal-clien 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - clients
ii  krb5-config   2.2                        Configuration files for Kerberos V
ii  libasn1-8-hei 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - ASN.1 library
ii  libc6         2.10.2-6                   Embedded GNU C Library: Shared lib
pi  libdb4.8      4.8.26-1                   Berkeley v4.8 Database Libraries [
ii  libedit2      2.11-20080614-1            BSD editline and history libraries
ii  libgssapi2-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - GSSAPI support 
ii  libhdb9-heimd 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - kadmin server l
ii  libkadm5srv8- 1.4.0~git20100221.dfsg.2-2 Libraries for Heimdal Kerberos
ii  libkdc2-heimd 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - KDC support lib
ii  libkrb5-26-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - libraries
ii  libncurses5   5.7+20100313-1             shared libraries for terminal hand
ii  libroken18-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - roken support l
ii  libsl0-heimda 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - SL support libr
ii  libssl0.9.8   0.9.8m-2                   SSL shared libraries
ii  xinetd [inet- 1:2.3.14-7                 replacement for inetd with many en

Versions of packages heimdal-kdc recommends:
ii  logrotate                     3.7.8-4    Log rotation utility

Versions of packages heimdal-kdc suggests:
ii  heimdal-docs  1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - documentation

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#574774: heimdal-kdc: KDC stops granting tickets

Reply via email to