[37076] in Kerberos
Re: ktadd default enctype
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Jun 5 11:14:48 2015
Date: Fri, 5 Jun 2015 10:14:39 -0500
From: Nico Williams <nico@cryptonector.com>
To: John Devitofranceschi <jdvf@optonline.net>
Message-ID: <20150605151438.GY18760@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <6DBA609A-440B-4C5D-A62E-EE0CEFD471B3@optonline.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Fri, Jun 05, 2015 at 07:24:06AM -0400, John Devitofranceschi wrote:
> How is ktadd *supposed* to figure out which enctype(s) to use?
Long ago I made Solaris' ktadd use the locally supported enctype list as
the default for ktadd, as if they'd been passed via the -e option (which
still works, natch).
> I am seeing an issue where kadmin’s ktadd, if left to its own devices,
> will generate a key with an encryption type that has nothing to do
> with the KDC’s supported_enctype list and ktadd seems to completely
> ignore the local client’s default/permitted enctype settings.
Eh? No, it should not ignore the KDC's supported_enctype list unless it
implements the change I mentioned above.
The supported_enctypes list was meant to apply only when the client
didn't use the -e option.
> KDC supports: des3-cbc-sha1 des-cbc-crc (I know, I know)
>
> Client's krb5.conf tells it to support: des-cbc-crc (I know, I know)
<phaser type="disapproval" level="11">
...
</phaser>
>
> But when we run ktadd the resulting keytab’s key has des-cbc-md5
>
> The client is an Oracle Linux with 1.6.1 krb5 client software.
>
> Also, the KDC is using Sun Solaris 10 Kerberos software (not MIT).
>
> Thanks for any insight!
I bet the Oracle client is using the kadm5_create_principal_3() RPC,
which means you don't get the supported_enctypes.
Try using the -e option.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
