I find that when I have a principal with both a DES key and an AES128 key then I cannot use kinit to authenticate using a keytab file that only has the AES128 key. I would like to know why I cannot authenticate through kinit using just my AES128 key.
The details of my interaction follow: 1. Create the keytab file with just a aes128-cts-hmac-sha1-96:normal key: kadmin.local: ktadd -k temp.keytab -e "aes128-cts-hmac-sha1-96:normal" PRINCIPAL Entry for principal PRINCIPAL with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:temp.keytab. 2. Try to kinit using that keytab file. kinit -k -t temp.keytab PRINCIPAL kinit(v5): Key table entry not found while getting initial credentials But after adding a des key to the temp.keytab, then the above kinit works. In trying to research this I noticed the following in the latest (Aug 4, 2006) "Kerberos V5 application programming library" documentation. In the description of the krb5_get_in_tkt call it says that "valid encryption types are ETYPE_DES_CBC_CRC and ETYPE_RAW_DES_CBC". Am I to understand that the API used by kinit will use only DES keys to get initial tickets? If so, is this just a current implementation problem or is there a more basic technical problem that will not let kinit be extended to use an AES128 keys? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos