On Wednesday, October 11, 2006 06:20:30 PM -0500 John Hascall <[EMAIL PROTECTED]> wrote:
> > >> >> Except the issue here is he's getting a DES_CBC_MD4 session key when >> >> he wants DES_CBC_CRC. The "why" is likely in the code you're quoting >> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support >> >> it (since the single-des types are interchangeable). >> > >> >> I'd be curious to know how the resulting ticket is not "useful"; that >> >> is, what application is being used and what error results when >> >> attempting to use that ticket. >> > >> > Here is the error reported by the user: >> > >> > $ telnet -fax cerberus.ait.iastate.edu >> > Encryption is verbose >> > Trying 129.186.145.115... >> > Connected to cerberus.ait.iastate.edu. >> > Escape character is '^]'. >> > [ Trying mutual KERBEROS5 >> > (host/[EMAIL PROTECTED])... ] [ Kerberos V5 refuses >> > authentication because telnetd: >> > krb5_rd_req failed: Encryption type not permitted ] >> > [ Trying KERBEROS5 (host/[EMAIL PROTECTED])... ] >> > [ Kerberos V5 refuses authentication because telnetd: >> > krb5_rd_req failed: Encryption type not permitted ] >> >> Is the telnetd also heimdal? That sounds like either the machine >> running telnetd is configured to require des-cbc-crc, or its keytab >> contains only a des-cbc-crc key. You can fix the latter problem by >> using ktutil to copy the keytab to a v4 srvtab and back. > > Yes, the keytab has only a des-cbc-crc key as that's all the KDB has. Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as interchangeable in a variety of cases, and Heimdal does not. So if you have an MIT KDC and Heimdal application servers, then a principal with a des-cbc-crc key in the KDB needs to have all three enctypes in its keytab. -- Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos