[31819] in Kerberos
Re: principal: Invalid argument while creating "foo@FOO".
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Tue Dec 29 13:04:10 2009
X-Envelope-From: jaltman@secure-endpoints.com
Message-ID: <4B3A4437.1040002@secure-endpoints.com>
Date: Tue, 29 Dec 2009 13:02:31 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: ghudson@mit.edu
In-Reply-To: <1262108865.2466.7292.camel@ray>
Cc: Jeff Blaine <jblaine@kickflop.net>, Tom Yu <tlyu@mit.edu>,
"kerberos@mit.edu" <kerberos@mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============1488087528=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1488087528==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms050505050600020909070906"
This is a cryptographically signed message in MIME format.
--------------ms050505050600020909070906
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 12/29/2009 12:47 PM, Greg Hudson wrote:
> On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote:
>>> Do you have RC4 ("arcfour-hmac-md5", etc.) configured in
>>> your "supported_enctypes" on that KDC?
>>
>> I don't understand why I would need to specify that (?)
>
> Tom was asking that to verify that his understanding of your problem wa=
s
> correct; he wasn't suggesting a workaround.
>
> The problem is that addprinc -randkey works in an odd way: it creates
> the principal with a dummy password (and a flag to disallow issuing of
> tickets) and then asks the kadmin server to randomize the password.
>
> In krb5 1.6, the dummy password is a 255-byte string containing all
> possible byte values. This is what causes the problem with a krb5 1.7
> server if you're supporting RC4 keys, because that dummy password is no=
t
> valid UTF-8. krb5 1.7 clients use a different dummy password which
> doesn't have this problem.
May I suggest that in order to provide for backward compatibility that
kadmin recognize the
well-known dummy password and the use of the disallow-tickets flag and
replace the dummy
password with one that will succeed.
Jeffrey Altman
--------------ms050505050600020909070906--
--===============1488087528==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1488087528==--
