[32152] in Kerberos
KDC has no support for encryption type
daemon@ATHENA.MIT.EDU (Brian J. Murrell)
Tue Mar 16 15:47:49 2010
To: kerberos@mit.edu
From: "Brian J. Murrell" <brian@interlinx.bc.ca>
Date: Tue, 16 Mar 2010 08:23:49 -0400
Message-ID: <1268742229.23554.48.camel@pc.interlinx.bc.ca>
Mime-Version: 1.0
X-Complaints-To: usenet@dough.gmane.org
Content-Type: multipart/mixed; boundary="===============0654431230=="
Errors-To: kerberos-bounces@mit.edu
--===============0654431230==
Content-Type: multipart/signed; micalg="pgp-sha1";
protocol="application/pgp-signature";
boundary="=-/WSNqnPUmsG6M1gi8Xh9"
--=-/WSNqnPUmsG6M1gi8Xh9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello everyone.
I've just recently upgraded my distro which included an upgrade of MIT
kerberos to (debian version) "1.8+dfsg~alpha1-7" which I'm assuming is
some kind of 1.8 (pre-)release.
Since that upgrade, my NFS4 mounts no longer work. On the KDC I am
getting:
00:20:43 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc=
: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com@ILINX for nfs/linux.xxx.=
com@ILINX, KDC has no support for encryption type
00:20:43 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:6=
5cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com@ILINX for nfs/linux.x=
xx.com@ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc=
: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxx.com@ILINX for nfs/linux.xxx.=
com@ILINX, KDC has no support for encryption type
00:22:02 krb5kdc TGS_REQ (3 etypes {1 3 2}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:6=
5cc: BAD_ENCRYPTION_TYPE: authtime 0, nfs/pc.xxxx.com@ILINX for nfs/linux.=
xxx.com@ILINX, KDC has no support for encryption type
Other keys seem to be working fine still:
$ rsh -x linux uname
This rsh session is encrypting input/output data transmissions.
Linux
Where the KDC reports for the above:
krb5kdc: AS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE: =
authtime 1268740114, etypes {rep=3D16 tkt=3D16 ses=3D16}, brian@ILINX for k=
rbtgt/ILINX@ILINX
krb5kdc: TGS_REQ (1 etypes {16}) 2001:xxxx:xxx:0:xxx:xxxx:xxxx:65cc: ISSUE:=
authtime 1268740114, etypes {rep=3D16 tkt=3D16 ses=3D16}, brian@ILINX for =
host/pc.xxx.com@ILINX
My keytab has the following credentials:
$ sudo klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 nfs/pc.xxx.com@ILINX (Triple DES cbc mode with HMAC/sha1)=20
2 nfs/pc.xxx.com@ILINX (DES cbc mode with CRC-32)=20
4 host/pc.xxx.com@ILINX (Triple DES cbc mode with HMAC/sha1)=20
4 host/pc.xxx.com@ILINX (DES cbc mode with CRC-32)=20
It seems to me that there is some mismatch between key types and what's
supported but I can't for the life of me figure out where.
krb5.conf on pc.xxx.com has:
[libdefaults]
dns_lookup_realm =3D true
dns_lookup_kdc =3D true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config =3D /etc/krb.conf
krb4_realms =3D /etc/krb.realms
kdc_timesync =3D 1
ccache_type =3D 4
forwardable =3D true
proxiable =3D true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes =3D aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-c=
bc-crc des-cbc-md5
# default_tkt_enctypes =3D aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-c=
bc-crc des-cbc-md5
# permitted_enctypes =3D aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc=
-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve =3D false
v4_name_convert =3D {
host =3D {
rcmd =3D host
ftp =3D ftp
}
plain =3D {
something =3D something-else
}
}
fcc-mit-ticketflags =3D true
[realms]
ILINX =3D {
kdc =3D kerberos.xxx.com
admin_server =3D kerberos.xxx.com
}
...
[domain_realm]
...
.ilinx =3D ILINX
.xxx.com =3D ILINX
[login]
krb4_convert =3D true
krb4_get_tickets =3D false
kdc.conf on the KDC has:
[kdcdefaults]
kdc_ports =3D 750,88
[realms]
ILINX =3D {
database_name =3D /etc/krb5kdc/principal
admin_keytab =3D FILE:/etc/krb5kdc/kadm5.keytab
acl_file =3D /etc/krb5kdc/kadm5.acl
key_stash_file =3D /etc/krb5kdc/stash
#dict_file =3D /usr/share/dict/words
kdc_ports =3D 750,88
max_life =3D 10h 0m 0s
max_renewable_life =3D 7d 0h 0m 0s
master_key_type =3D des3-hmac-sha1
supported_enctypes =3D des3-hmac-sha1:normal des-cbc-crc:normal des=
:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags =3D +preauth
}
Any ideas at all would be much appreciated.
Thanx,
b.
--=-/WSNqnPUmsG6M1gi8Xh9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkufeFQACgkQl3EQlGLyuXBVTwCgoK/iuz8882n+PLjtNY6aKczl
HccAniDrLBpAuciU0LB/ykbyfmAvqv5k
=8hJ1
-----END PGP SIGNATURE-----
--=-/WSNqnPUmsG6M1gi8Xh9--
--===============0654431230==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0654431230==--