harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Li" <liyilei1...@gmail.com>
Subject [classlib][auth]Problem to get TGT by des-cbc-md5 encrytype from MIT Krb5-1.5.4 KDC on suse 10.
Date Mon, 05 Nov 2007 05:32:45 GMT
Hi, all
     I am now setting up the environment for JGSS, but I encountered a
problem here: The MIT KDC seems does not support the des-cbc-md5 encryptype.
I have tried it both with the kdc provided by RedHat enterprise 5 and on the
KDC built by myself on suse 10.
     I have posted a mail to the mit kerberos mailing list but no response
yet. So I am not sure whether the encryptype is acknowledged by MIT KDC or
     Is there somebody familiar with it?

   Below is the configuration:

 Here is the kdc.conf:

kdc_ports = 88

database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
                supported_enctypes = des3-hmac-sha1:normal
arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal
des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

And the krb5.conf has :

default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = des-cbc-md5

  kdc = leo-suse.cn.ibm.com:88
  admin_server = leo-suse.cn.ibm.com:749
  default_domain = leo-suse.cn.ibm.com

.leo-suse.cn.ibm.com = EXAMPLE.COM
leo-suse.cn.ibm.com = EXAMPLE.COM

And then if I run
       kinit test@EXAMPLE.COM
It complains:
       kinit(v5): KDC has no support for encryption type while getting
initial credentials

I also have added the des-cbc-md5 enctype as a keytab for test@EXAMPLE.COMby:
       kadmin.local:  addprinc -e "des-cbc-md5:normal" test@EXAMPLE.COM
And the getprinc also shows:
       kadmin.local:  getprinc test@EXAMPLE.COM
       Number of keys: 1
       Key: vno 1, DES cbc mode with RSA-MD5, no salt
       Policy: [none]

Besides, seems other encryption types are all supported, for example, the

Leo Li
China Software Development Lab, IBM

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message