|
Description
|
I created a usr principal using arcfour-hmac-md5-exp as the only
encryption type for its key.
kadmin.local: addprinc -e arcfour-hmac-md5-exp:normal user01
WARNING: no policy specified for xxxxx@xxxxx.COM; defaulting to no policy
Enter password for principal " xxxxx@xxxxx.COM":
Re-enter password for principal " xxxxx@xxxxx.COM":
Principal " xxxxx@xxxxx.COM" created.
Then I modified /etc/krb5/krb5.conf on client machine to specify
to use arcfour-hmac-md5-exp in AS_REQ and TGS_REQ requests.
default_tgs_enctypes=arcfour-hmac-md5-exp
default_tkt_enctypes=arcfour-hmac-md5-exp
Then I run kinit on client to get credential for user01, it
failed.
snake(snv_57) /> kinit user01
kinit(v5): KDC has no support for encryption type while getting
initial credentials
At the same time I saw the following error message on KDC:
Feb 14 22:16:56 sharkfin krb5kdc[9792](info): AS_REQ (1 etypes
{24}) 10.4.233.80: BAD_ENCRYPTION_TYPE: xxxxx@xxxxx.COM for
krbtgt/ xxxxx@xxxxx.COM, KDC has no support for encryption type
If I didn't set default_tgs_enctypes and default_tkt_enctypes in
/etc/krb5/krb5.conf file, it also faied, but with a slightly
different error message:
snake(snv_57) /> kinit user01
Password for xxxxx@xxxxx.COM:
kinit(v5): Preauthentication failed while getting initial
credentials
and I saw the following following error messages on KDC:
Feb 14 22:38:10 sharkfin krb5kdc[9792](info): AS_REQ (5 etypes
{17 16 23 3 1}) 10.4.233.80: NEEDED_PREAUTH: xxxxx@xxxxx.COM for
krbtgt/ xxxxx@xxxxx.COM, Additional pre-authentication required
Feb 14 22:38:20 sharkfin krb5kdc[9792](info): preauth
(timestamp) verify failure: No matching key in entry having a
permitted enctype
Feb 14 22:38:20 sharkfin krb5kdc[9792](info): AS_REQ (5 etypes
{17 16 23 3 1}) 10.4.233.80: PREAUTH_FAILED: xxxxx@xxxxx.COM for
krbtgt/ xxxxx@xxxxx.COM, Preauthentication failed
|