Bug ID: 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required

Bug ID	6320871
Synopsis	kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required
State	10-Fix Delivered (Fix available in build)
Category:Subcategory	kerberosv5_bundled:other
Keywords	des-cbc-crc \| kerberos \| kinit \| onnv_triage
Responsible Engineer	William Fiveash
Reported Against
Duplicate Of
Introduced In	solaris_10
Commit to Fix	snv_26
Fixed In	snv_26
Release Fixed	solaris_nevada(snv_26) , solaris_10u3(s10u3_05) (Bug ID:2134118)
Related Bugs	4839106
Submit Date	7-September-2005
Last Update Date	8-March-2007
Description	See following note kinit willf will fail if krb5.conf has default_tkt_enctypes = des-cbc-crc and the willf princ entry has: Number of keys: 5 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with RSA-MD5, no salt Attributes: REQUIRES_PRE_AUTH I think this is due to code in krb5_do_preauth() that does: /* * Select first etype in our request which is also in * etype-info (preferring client request ktype order). */ for (etype_found = 0, valid_etype_found = 0, k = 0; !etype_found && k < request->nktypes; k++) { for (l = 0; etype_info[l]; l++) { if (etype_info[l]->etype == request->ktype[k]) { etype_found++; break; } The problem is this code doesn't deal with the concept of des-cbc-crc and des-cbc-md5 similarity as is done in other parts of mech_krb5.
Work Around	N/A
Comments	N/A

OpenSolaris