[2172] in Kerberos-V5-bugs
Re: Documentation lacking questions.
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Aug 20 13:45:11 1996
To: "Randall S. Winchester" <rsw@Glue.umd.edu>
Cc: krb5-bugs@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 20 Aug 1996 13:45:04 -0400
In-Reply-To: "Randall S. Winchester"'s message of Tue, 20 Aug 1996 11:00:36 -0400 (EDT)
>>>>> "Randall" == "Randall S Winchester" <rsw@Glue.umd.edu> writes:
Randall> 1) how do you start/configure Kerberos V5b6 to get
Randall> kadmind5 to run? I am running on Solaris 2.5. I get the
Randall> following, but can not find information on what is
Randall> needed:
Randall> kadmind5: cannot get service entry for kpasswd (Error 0).
Randall> Segmentation fault
I would guess this probably can be found in osconf.h or one of
the kadmin include files as a #define. Also, you can look at krb.log
in tests/dejagnu after running make check.
Randall> 2) I want to use various encryption types like;
Randall> des-cbc-crc des-cbc-md4 des-cbc-md5 des-cbc-raw
Randall> des3-cbc-sha des3-cbc-raw
No, you don't. Trust me.
Seriously, the enctype handling stuff is fairly complex and
has some rather strange interactions involving kdc.conf, krb5.conf and
the md5 bit on principals in the database. Also, the DES3 code is not
finalized yet, and Richard may change the key format in a manner that
does not preserve backward compatability.
If you want to enable MD5, set the md5 bit on all the
principals in the database, and add des-cbc-md5 before des-cbc-crc on
the two enctypes lines in krb5.conf. (just `des' stands for
des-cbc-md5.)
You don't want to use des3-cbc-raw or des-cbc-raw as an
enctype in your database; it is included only for GSSAPI's usage.
If you relaly need to get des3 running now, I can give you the
necessary incantations; I'm using it and it does work once you apply
the SHS endianness patch, but you may not be able to use your keys
with future releases of Kerberos.
Randall> However after I changed my password (with kdb_edit since
Randall> I can not get kadmind5 to run...) I was unable to
Randall> kinit. I got this;
O, yes, that's another thing about multiple encryption types
in Beta 6: kadmin doesn't change passwords correctly--or at least, it
doesn't preserve the supported_enctypes.
Randall> kinit: KDC has no support for encryption type while
Randall> getting initial credentials
Right, you need to set the md5 bit on the principal using the
modify command of kdb5_edit. You should also set the md5 bit on the
server principals you plan on using--especially krbtgt.
Randall> Thanks, Randall
