[31818] in Kerberos
Re: principal: Invalid argument while creating "foo@FOO".
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Dec 29 12:48:01 2009
From: Greg Hudson <ghudson@mit.edu>
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <4B3A30A7.7040400@kickflop.net>
Date: Tue, 29 Dec 2009 12:47:45 -0500
Message-ID: <1262108865.2466.7292.camel@ray>
Mime-Version: 1.0
Cc: Tom Yu <tlyu@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote:
> > Do you have RC4 ("arcfour-hmac-md5", etc.) configured in
> > your "supported_enctypes" on that KDC?
>
> I don't understand why I would need to specify that (?)
Tom was asking that to verify that his understanding of your problem was
correct; he wasn't suggesting a workaround.
The problem is that addprinc -randkey works in an odd way: it creates
the principal with a dummy password (and a flag to disallow issuing of
tickets) and then asks the kadmin server to randomize the password.
In krb5 1.6, the dummy password is a 255-byte string containing all
possible byte values. This is what causes the problem with a krb5 1.7
server if you're supporting RC4 keys, because that dummy password is not
valid UTF-8. krb5 1.7 clients use a different dummy password which
doesn't have this problem.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
