[3145] in Kerberos-V5-bugs
krb5-kdc/782: krb5_util load_v4 creates bad krbtgt principal
daemon@ATHENA.MIT.EDU (wollman@lcs.mit.edu)
Sun Oct 31 16:10:21 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, wollman@lcs.mit.edu
Message-Id: <199910312109.QAA00522@ca.lcs.mit.edu>
Date: Sun, 31 Oct 1999 16:09:42 -0500 (EST)
From: wollman@lcs.mit.edu
Reply-To: wollman@lcs.mit.edu
To: krb5-bugs@MIT.EDU
>Number: 782
>Category: krb5-kdc
>Synopsis: krb5_util load_v4 creates bad krbtgt principal
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct 31 16:10:01 EST 1999
>Last-Modified:
>Originator: Garrett A. Wollman
>Organization:
MIT Laboratory for Computer Science
>Release: krb5-1.1
>Environment:
System: FreeBSD ca.lcs.mit.edu 4.0-CURRENT FreeBSD 4.0-CURRENT #4: Wed Jul 14 16:57:46 EDT 1999 root@ca.lcs.mit.edu:/usr/src/sys/compile/CA i386
>Description:
I just moved over our KDC from v4 to v5. All of the v4-compatibility
features appear to work fine, but when I attempted to use a v5
application (e.g., ssh), I found that the KDC would not accept
its own TGTs, complaining of a `bad encrpytion type'. Groveling
around in the source for a few minutes did not help explain
the problem, but it did find me a workaround.
>How-To-Repeat:
kdc# kdb5_util create
kdc# kdb5_util destroy
kdc# kdb5_util load_v4 database-dump-from-v4-kdc
host1$ ssh -v -o 'KerberosAuthentication=YES' host2
host1: Kerberos V5: failure on credentials(Generic error (see e-text)).
kdc# tail /var/log/auth.log
krb5kdc[372]: TGS_REQ 18.24.4.193(750): PROCESS_TGS: authtime 0, <unknown client> for krbtgt/LCS.MIT.EDU@LCS.MIT.EDU, Bad encryption type
>Fix:
work-around:
kadmin: modprinc -support_desmd5 krbtgt/LCS.MIT.EDU@LCS.MIT.EDU
>Audit-Trail:
>Unformatted:
