>> This is one of our worst error messages (see >> https://krbdev.mit.edu/rt/Ticket/Display.html?id=8247 ). > >Yeah, no kidding. I actually looked at the source a while ago to try and >figure out what was happening, but no luck; the location where the error >message is printed has absolutely no link anymore with the location >where the error occurs...
"Back in the day" I kept a build of MIT Kerberos with full debugging symbols around, so I could use a debugger to trace down the source of weird errors like this (things are much better now, but you still run into these issues occasionally). > fcc-mit-ticketflags = true This seems like a Heimdal-specific configuration entry, FWIW. Russ already explained that this is probably a problem with your kdc.conf file, so I'd start there. >It might be that I haven't properly migrated it from single-DES to more >modern enctypes; is this something I would be able to see if I looked at >a dump of the database? If so, how would I go about that, and can I >still fix this? Look at the manpage for kdb5_util, specifically the "tabdump" subcommand. You can easily get a list of encryption types for all principals. The only tricky principals to change the key of are the master key (see the procedure in the MIT documentation) and the kadmin password history key (well, that is straightforward, but you invalidate all password histories). --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
