[3156] in Kerberos-V5-bugs
krb5-kdc/792: krb5-kdc bug, support_desmd5 attribute on TGT princ
daemon@ATHENA.MIT.EDU (ptracy@nwu.edu)
Wed Nov 24 12:11:25 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, ptracy@nwu.edu
Message-Id: <199911241710.LAA29246@www-gate.it-services.nwu.edu>
Date: Wed, 24 Nov 1999 11:10:39 -0600 (CST)
From: ptracy@nwu.edu
Reply-To: ptracy@nwu.edu
To: krb5-bugs@MIT.EDU
>Number: 792
>Category: krb5-kdc
>Synopsis: undocumented support_desmd5 attribute on by default in 1.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 24 12:11:00 EST 1999
>Last-Modified:
>Originator: Phil Tracy
>Organization:
Northwestern University IT
>Release: krb5-1.1
>Environment:
HP/UX 10.20
System: HP-UX www-gate B.10.20 A 9000/770 2006557896 two-user license
>Description:
After building 1.1 and loading a dump of the 1.0.6 database,
I'm able to get TGTs, but get bad enctype errors when trying
to contact TGS. This is because the krbtgt/REALM@REALM
principal has be default the SUPPORT_DESMD5 attribute set,
and I'm not using MD5 anywhere. kadmin.local doesn't explicitly
document how to turn this off, but it's easy enough to guess.
>How-To-Repeat:
Start with 1.0.6 KDC. Configure clients & kdc with only des-cbc-crs
enctypes. Dump with kdb5_util. Load with 1.1 kdb5_util. Try to
obtain TGT, then service ticket.
>Fix:
Use kadmin.local, modprinc -support_desmd5 krbtgt/REALM@REALM
>Audit-Trail:
>Unformatted:
