Bug ID: 6538725 ktutil can't list keys with unknown (unsupported) encryption types.

Bug ID	6538725
Synopsis	ktutil can't list keys with unknown (unsupported) encryption types.
State	10-Fix Delivered (Fix available in build)
Category:Subcategory	kerberosv5_bundled:other
Keywords	rtiq_reviewed
Responsible Engineer	Peter Shoults
Reported Against
Duplicate Of
Introduced In	solaris_8
Commit to Fix	snv_73
Fixed In	snv_73
Release Fixed	solaris_nevada(snv_73) , solaris_10u5(s10u5_02) (Bug ID:2148934)
Related Bugs	6558280
Submit Date	26-March-2007
Last Update Date	15-September-2007
Description	The customer's Solaris 9 host is using Kerberos to authenticate against a Microsoft Active Directory. As a result, the keytab generated on the MS AD server will include keys that use the RC4-HMAC-MD5 (etype 23) encryption type. The customer is well aware the Solaris 9 doesn't have support for this encryption type and he doesn't plan to use it. However, in order to prevent Kerberos from attempting to, he needs to remove it from the keytab. On the Solaris 9 host, the customer is able to list the contents of the keytab using klist(1) without any problems: --- # klist -ek -t /tmp/krb5.keytab Keytab name: FILE:/tmp/krb5.keytab KVNO Timestamp Principal ---- ------------------------ -------------------------------------------------- 0 Thu Mar 22 14:30:01 2007 host/ xxxxx@xxxxx.UK (DES-CBC-CRC) 0 Thu Mar 22 14:30:01 2007 host/ xxxxx@xxxxx.UK (DES-CBC-MD5) 0 Thu Mar 22 14:30:01 2007 host/ xxxxx@xxxxx.UK (etype 23) 0 Thu Mar 22 14:30:01 2007 host/ xxxxx@xxxxx.UK (DES-CBC-CRC) 0 Thu Mar 22 14:30:01 2007 host/ xxxxx@xxxxx.UK (DES-CBC-MD5) 0 Thu Mar 22 14:30:01 2007 host/ xxxxx@xxxxx.UK (etype 23) 0 Thu Mar 22 14:30:01 2007 THUNDER$@NHM.AC.UK (DES-CBC-CRC) 0 Thu Mar 22 14:30:01 2007 THUNDER$@NHM.AC.UK (DES-CBC-MD5) 0 Thu Mar 22 14:30:01 2007 THUNDER$@NHM.AC.UK (etype 23) --- As you can see the RC4-HMAC-MD5 enc type is reported as "etype 23". However, if he then loads the keytab into ktutil(1) and lists the keys and shows the encryption type (so he can identify which key to remove) it fails: --- # ktutil ktutil: rkt /tmp/krb5.keytab ktutil: l -e slot KVNO Principal ---- ---- -------------------------------------------------------------------------- 1 0 host/ xxxxx@xxxxx.UK (DES cbc mode with CRC-32) 2 0 host/ xxxxx@xxxxx.UK (DES cbc mode with RSA-MD5) l: Unknown code 22 While converting enctype to string 3 0 host/ xxxxx@xxxxx.UKktutil: exit # --- klist(1) and ktutil(1) show inconsistent behaviour when encountering an unknown encryption type. The customer is able to successfully manipulate the keytab using the MIT ktutil(1) and ktutil(1) on Solaris 10 and he is able to list the contents on Solaris 9 in ktutil if he doesn't use the "-e" option, however without showing the encryption types, the customer can't be sure he's removing the correct key. ktutil(1) should handle unknown encryption types as klist(1) does by returning the enc type number. klist(1) does this with the etype_string() function.
Work Around	N/A
Comments	N/A

OpenSolaris