> >> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support > >> >> it (since the single-des types are interchangeable). > >> > > >> >> I'd be curious to know how the resulting ticket is not "useful"; that > >> >> is, what application is being used and what error results when > >> >> attempting to use that ticket. > >> > > >> > Here is the error reported by the user: > >> > > >> > $ telnet -fax cerberus.ait.iastate.edu > >> > Encryption is verbose > >> > Trying 129.186.145.115... > >> > Connected to cerberus.ait.iastate.edu. > >> > Escape character is '^]'. > >> > [ Trying mutual KERBEROS5 > >> > (host/[EMAIL PROTECTED])... ] [ Kerberos V5 refuses > >> > authentication because telnetd: > >> > krb5_rd_req failed: Encryption type not permitted ] > >> > [ Trying KERBEROS5 (host/[EMAIL PROTECTED])... ] > >> > [ Kerberos V5 refuses authentication because telnetd: > >> > krb5_rd_req failed: Encryption type not permitted ] > >> > >> Is the telnetd also heimdal? That sounds like either the machine > >> running telnetd is configured to require des-cbc-crc, or its keytab > >> contains only a des-cbc-crc key. You can fix the latter problem by > >> using ktutil to copy the keytab to a v4 srvtab and back. > > > > Yes, the keytab has only a des-cbc-crc key as that's all the KDB has. > > Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as > interchangeable in a variety of cases, and Heimdal does not. So if you > have an MIT KDC and Heimdal application servers, then a principal with a > des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.
Well, that's just icky. I was able to solve the problem by adding the following line to the KDC's krb5.conf file: [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 \ des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc Thanks, John ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos