Kprop failing when changing permitted tgs and tgt types

[Joe Travaglini]

Hello,
I had a successfully replicating KDC environment which was working.
I then changed the default and permitted tgs/tgt encryption types,
removing aes256 and aes128 from all fields.

I now get the following error when running kprop after a kdb5_util dump:
kprop: Message size is incompatible with encryption type while encoding
database block starting at 0

I tried destroying and recreating both KDCs to start fresh but I still am
getting this error. After extensive research I cannot understand why. Can
anyone help?

thank you
-Joe

[Greg Hudson]

On 02/03/2013 08:35 AM, Joe Travaglini wrote:
> I tried destroying and recreating both KDCs to start fresh but I still am
> getting this error. After extensive research I cannot understand why. Can
> anyone help?

You found a bug; kprop doesn't work with an RC4 session key. This was
previously unknown to me (or to our bug database, as far as I can tell);
I've written it up here:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7561&user=guest&pass=guest

For the moment, you'll need to use any other enctype as your preferred
session key enctype when running kprop.

[Joe Travaglini]

OK Greg. Thank you for the reply. Is there any way to configure this
specifically for kdb5 dump and kprop and not globally for all principals?

Much obliged,
-Joe

[Greg Hudson]

On 02/03/2013 12:36 PM, Joe Travaglini wrote:
> OK Greg. Thank you for the reply. Is there any way to configure this
> specifically for kdb5 dump and kprop and not globally for all principals?

You could use a separate krb5.conf (and the KRB5_CONFIG environment
variable), but short of that, no.

Why are you removing AES from the enctype variables? Perhaps there is a
better way around whatever problem you're fixing that way.

[Joe Travaglini]

It's an application limitation but I'm now considering fixing the
application config given this info. Thanks again, very helpful.