Russ Allbery wrote: > Tim Metz <[email protected]> writes: > > >> We have in our MIT KDC some legacy principals that were imported from >> another commercial Kerberos product. For kvno=0, they have an unknown >> e-type. For kvno=1, they have an e-type "DES cbc mode with CRC-32, >> Version 4". >> > > >> Under MIT versions 1.6.3 and 1.7.1, running kinit against these >> principals is functional. >> > > >> Starting with MIT version 1.8 however, using the same import process for >> the principals, kinit fails as follows: >> > > >> kinit -k -t /etc/krb5.keytab host/hostname.example.com >> kinit(v5): KDC has no support for encryption type while getting initial >> credentials >> > > >> At first pass, the problem at least has the appearance that it could be >> related to kvno processing code. More specifically, in versions prior >> to 1.8 if a kvno=0 contained an unsupported encryption type, processing >> would continue to kvno=1 and succeed. Starting with version 1.8, it >> looks like if kvno=0 has an unsupported e-type, processing fails, and >> does not continue on to consult kvno=1. >> > > I suspect you have a much simpler problem, namely that 1.8 disabled > support for DES by default. Try adding: > > allow_weak_crypto = true > > to the [libdefaults] section of krb5.conf for your KDCs and see if that > changes matters. > >
Thanks, Russ. I intended to include, and realized after sending that I hadn't, the information that we have "allow_weak_crypto = true" in the [libdefaults] section of our kdc.conf and krb5.conf. We can create principals with only "DES cbc mode with CRC-32", and successfully kinit against them, so I believe the KDC is supporting weak e-types. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
