On 12/29/2009 12:47 PM, Greg Hudson wrote: > On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote: >>> Do you have RC4 ("arcfour-hmac-md5", etc.) configured in >>> your "supported_enctypes" on that KDC? >> >> I don't understand why I would need to specify that (?) > > Tom was asking that to verify that his understanding of your problem was > correct; he wasn't suggesting a workaround. > > The problem is that addprinc -randkey works in an odd way: it creates > the principal with a dummy password (and a flag to disallow issuing of > tickets) and then asks the kadmin server to randomize the password. > > In krb5 1.6, the dummy password is a 255-byte string containing all > possible byte values. This is what causes the problem with a krb5 1.7 > server if you're supporting RC4 keys, because that dummy password is not > valid UTF-8. krb5 1.7 clients use a different dummy password which > doesn't have this problem. May I suggest that in order to provide for backward compatibility that kadmin recognize the well-known dummy password and the use of the disallow-tickets flag and replace the dummy password with one that will succeed.
Jeffrey Altman
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos