[32208] in Kerberos
Re: CANT_FIND_CLIENT_KEY
daemon@ATHENA.MIT.EDU (Matt Zagrabelny)
Tue Mar 30 20:15:20 2010
From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87vdcda2gj.fsf@windlord.stanford.edu>
Date: Tue, 30 Mar 2010 19:13:21 -0500
Message-ID: <1269994401.11234.38.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2010-03-30 at 15:07 -0700, Russ Allbery wrote:
> Matt Zagrabelny <mzagrabe@d.umn.edu> writes:
> > On Tue, 2010-03-30 at 14:46 -0700, Russ Allbery wrote:
>
> >> You need it on the client in addition to the server.
>
> > Good to know. :)
>
> > Unfortunately, the client is a Cisco Catalyst 3750. :/
>
> > workstation% telnet.netkit switch3750
> > Trying 10.25.1.14...
> > 'autologin': unknown argument ('toggle ?' for help).
> > Connected to switch3750.d.umn.edu.
> > Escape character is '^]'.
>
> Then that's probably not the problem. The Cisco box almost certainly
> hasn't disabled DES (it's probably the only enctype that it supports).
>
> Please show the getprinc output for your krbtgt/* key and the user
> principal that you're using. I bet one or the other of them has no DES
> key.
Indeed.
kadmin.local: getprinc mzagrabe
Principal: mzagrabe@D.UMN.EDU
Expiration date: [never]
Last password change: Wed Mar 24 15:44:13 CDT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Mar 30 16:27:51 CDT 2010 (root/admin@D.UMN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes:
Policy: [none]
kadmin.local: getprinc krbtgt/D.UMN.EDU
Principal: krbtgt/D.UMN.EDU@D.UMN.EDU
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat Sep 05 14:08:25 CDT 2009 (db_creation@D.UMN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
it looks like the mzagrabe principle is missing the:
Key: vno 1, DES cbc mode with CRC-32, no salt
How would I add that key to the principle?
Thanks,
-matt
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
