Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

permitted_enctypes = "des-cbc-crc" triggers 'kinit: Generic error (see e-text) while getting initial credentials'

1,568 views

Skip to first unread message

Wendy Lin

unread,

Mar 20, 2014, 6:01:19 PM3/20/14

to <kerberos@mit.edu>

I have this in my Suse 11.3 /etc/krb.conf for libdefaults:

allow_weak_crypto = true
# permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1
aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"
permitted_enctypes = "des-cbc-crc"

Now if I try to kinit I get this error:

kinit
kinit: Generic error (see e-text) while getting initial credentials

Why?

Wendy

steve

unread,

Mar 20, 2014, 6:26:43 PM3/20/14

to kerb...@mit.edu

Hi
Do you have DNS configured properly?
Add:
dns_lookup_realm = false
dns_lookup_kdc = true

to [libdefaults]

Benjamin Kaduk

unread,

Mar 20, 2014, 6:32:07 PM3/20/14

to Wendy Lin, <kerberos@mit.edu>

On Thu, 20 Mar 2014, Wendy Lin wrote:

> I have this in my Suse 11.3 /etc/krb.conf for libdefaults:
>
> allow_weak_crypto = true
> # permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1
> aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"
> permitted_enctypes = "des-cbc-crc"
>
> Now if I try to kinit I get this error:
>
> kinit
> kinit: Generic error (see e-text) while getting initial credentials

If your client is only trying to use des-cbc-crc (a bad idea, see RFC
6649) but the KDC does not have a key for your principal of that enctype,
attempting to get a ticket cannot succeed -- there is no key that both
parties will use to secure the communication.

-Ben Kaduk

ольга крыжановская

unread,

Mar 21, 2014, 6:16:31 AM3/21/14

to Benjamin Kaduk, <kerberos@mit.edu>

Plain des-cbc-crc only authentication doesn't seem to be supported, any more:

$ kadmin
Authenticating as principal root/ad...@MINIPAX.TERRORONWAR.ORG with password.
kadmin: KDC has no support for encryption type while initializing
kadmin interface

Olga

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--
, _ _ ,
{ \/`o;====- Olga Kryzhanovska -====;o`\/ }
.----'-/`-/ olga.kry...@gmail.com \-`\-'----.
`'-..-| / http://twitter.com/fleyta \ |-..-'`
/\/\ Solaris/BSD//C/C++ programmer /\/\
`--` `--`

Benjamin Kaduk

unread,

Mar 21, 2014, 11:06:04 AM3/21/14

to ольга крыжановская, <kerberos@mit.edu>

On Fri, 21 Mar 2014, ольга крыжановская wrote:

> Plain des-cbc-crc only authentication doesn't seem to be supported, any more:

Most likely, you still have the 'allow_weak_crypto' setting in krb5.conf
at its default value, false.

-Ben

ольга крыжановская

unread,

Mar 21, 2014, 5:57:28 PM3/21/14

to Benjamin Kaduk, <kerberos@mit.edu>

No, allow_weak_crypto is set to true:

[libdefaults]
# default_realm = EXAMPLE.COM

default_realm = MINIPAX.TERRORONWAR.ORG
clockskew = 300

allow_weak_crypto = true
# permitted_enctypes = "des-cbc-crc arcfour-hmac des3-cbc-sha1
aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96"
permitted_enctypes = "des-cbc-crc"

Any other ideas?

Olga

0 new messages