[39133] in Kerberos
Re: kadmin not working after server migration, but kdc works
daemon@ATHENA.MIT.EDU (Wouter Verhelst)
Wed Sep 21 03:49:54 2022
Date: Wed, 21 Sep 2022 09:45:51 +0200
From: Wouter Verhelst <w@uter.be>
To: Russ Allbery <eagle@eyrie.org>
Message-ID: <YyrBL9bEEmFayl3U@pc220518.home.grep.be>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <871qs5yg3g.fsf@hope.eyrie.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Sep 20, 2022 at 12:56:51PM -0700, Russ Allbery wrote:
> Wouter Verhelst <w@uter.be> writes:
> > On Tue, Sep 20, 2022 at 11:43:40AM -0400, Greg Hudson wrote:
>
> >> From experience, this probably means you have a single-DES enctype
> >> listed in supported_enctypes and are using release 1.18. (In 1.17 or
> >> previous the enctype would be recognized; in 1.19 or later the library
> >> would ignore the enctype rather than failing out.) Remove the
> >> single-DES enctype and kadmind should start working again.
>
> > So, supported_enctypes is not even in the krb5.conf file; I assume that
> > means it then reverts to defaults?
>
> That's your krb5.conf, but the error message is about your kdc.conf
> (/etc/krb5kdc/kdc.conf). It has its own separate supported_enctypes
> setting.
My kdc.conf currently looks like this:
-----
[kdcdefaults]
kdc_ports = 750,88
[realms]
GREP.BE = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
default_principal_flags = +preauth
default_principal_expiration = 0
}
-----
Adding a line "supported_enctypes = DEFAULT" in either the "kdcdefaults"
or "GREP.BE" section did not fix the issue.
It might be the "master_key_type" thing? But the issue exists in 1.17, too.
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
I will have a Tin-Actinium-Potassium mixture, thanks.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
