Enctype Negotiation Problem

[John Hascall]

> >> >> - DES_CBC_MD4 is a "better" enctype, and both sides appear to support
> >> >> it (since the single-des types are interchangeable).
> >> >
> >> >> I'd be curious to know how the resulting ticket is not "useful"; that
> >> >> is,  what application is being used and what error results when
> >> >> attempting to  use that ticket.
> >> >
> >> > Here is the error reported by the user:
> >> >
> >> > $ telnet -fax cerberus.ait.iastate.edu
> >> > Encryption is verbose
> >> > Trying 129.186.145.115...
> >> > Connected to cerberus.ait.iastate.edu.
> >> > Escape character is '^]'.
> >> > [ Trying mutual KERBEROS5
> >> > (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ] [ Kerberos V5 refuses
> >> > authentication because telnetd:
> >> >   krb5_rd_req failed: Encryption type not permitted ]
> >> > [ Trying KERBEROS5 (host/cerberus.ait.iastate.edu at IASTATE.EDU)... ]
> >> > [ Kerberos V5 refuses authentication because telnetd:
> >> >   krb5_rd_req failed: Encryption type not permitted ]
> >>
> >> Is the telnetd also heimdal?  That sounds like either the machine
> >> running  telnetd is configured to require des-cbc-crc, or its keytab
> >> contains only a  des-cbc-crc key.  You can fix the latter problem by
> >> using ktutil to copy  the keytab to a v4 srvtab and back.
> >
> > Yes, the keytab has only a des-cbc-crc key as that's all the KDB has.
> 
> Ah, but MIT Kerberos treats des-cbc-crc, des-cbc-md4, and des-cbc-md5 as 
> interchangeable in a variety of cases, and Heimdal does not.  So if you 
> have an MIT KDC and Heimdal application servers, then a principal with a 
> des-cbc-crc key in the KDB needs to have all three enctypes in its keytab.

Well, that's just icky.

I was able to solve the problem by adding the following line to the KDC's
krb5.conf file:

[libdefaults]
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 \
                       des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc


Thanks,
John