Package: heimdal-kdc
Version: 1.4.0~git20100221.dfsg.2-2
Severity: important
I was about to mark this critical, when I found it only affects one of
my realms - the other seems to work fine ?!?
I have two realm, with similar setups:
*) 32 and 64 bit KDC and clients
*) Data stored in LDAP
*) libssl0.9.8m-2
*) The same krb5.conf (sans default realm)
*) Needing weak auth (NFS and Windows XP):
Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
des-cbc-crc(pw-salt),
aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt),
arcfour-hmac-md5(pw-salt)
On this realm, the 64 bit server answers all AS-REQ requests with:
krb5_crypto_init failed: encryption key has bad length
The 32bit server says:
krb5_crypto_init failed: encryption type 168010328 not supported
So, on the 32bit system I downgraded KDC to testing and wound with
krb5_crypto_init failed: encryption key has bad length
Downgrading KDC to stable and I'm back to bad enc type :(
so it is more likely *one* of the libraries, but I no clue which :(
The kdc logs look kosher (sans the error):
2010-03-20T21:09:48 AS-REQ authtime: 2010-03-20T21:09:48 starttime: unset
endtime: 2010-09-16T21:09:48 renew till: 2010-04-19T21:09:48
2010-03-20T21:09:48 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc, using
des3-cbc-md5/aes256-cts-hmac-sha1-96
2010-03-20T21:09:48 Requested flags: renewable, forwardable
2010-03-20T21:09:48 krb5_crypto_init failed: encryption key has bad length
2010-03-20T21:09:48 sending 162 bytes to IPv4:127.0.0.1
2010-03-20T21:41:10 AS-REQ authtime: 2010-03-20T21:41:10 starttime: unset
endtime: 2010-04-03T21:41:10 renew till: 2010-04-19T21:41:10
2010-03-20T21:41:10 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc, using enctypes 140692640/18
2010-03-20T21:41:10 Requested flags: renewable, forwardable
2010-03-20T21:41:10 krb5_crypto_init failed: encryption type 140692640 not
supported
2010-03-20T21:41:10 sending 172 bytes to IPv4:127.0.0.1
Whereas the working realm has:
2010-03-20T21:15:25 AS-REQ authtime: 2010-03-20T21:15:25 starttime: unset
endtime: 2010-04-03T21:15:25 renew till: 2010-06-27T21:15:25
2010-03-20T21:15:25 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2010-03-20T21:15:25 Requested flags: renewable, proxiable
2010-03-20T21:15:25 sending 732 bytes to IPv4:127.0.0.1
So, something is causing bad negotiation on some (but not all) realms :(
-- System Information:
Debian Release: squeeze/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages heimdal-kdc depends on:
ii debconf [debc 1.5.28 Debian configuration management sy
ii heimdal-clien 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - clients
ii krb5-config 2.2 Configuration files for Kerberos V
ii libasn1-8-hei 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - ASN.1 library
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
pi libdb4.8 4.8.26-1 Berkeley v4.8 Database Libraries [
ii libedit2 2.11-20080614-1 BSD editline and history libraries
ii libgssapi2-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - GSSAPI support
ii libhdb9-heimd 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - kadmin server l
ii libkadm5srv8- 1.4.0~git20100221.dfsg.2-2 Libraries for Heimdal Kerberos
ii libkdc2-heimd 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - KDC support lib
ii libkrb5-26-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - libraries
ii libncurses5 5.7+20100313-1 shared libraries for terminal hand
ii libroken18-he 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - roken support l
ii libsl0-heimda 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - SL support libr
ii libssl0.9.8 0.9.8m-2 SSL shared libraries
ii xinetd [inet- 1:2.3.14-7 replacement for inetd with many en
Versions of packages heimdal-kdc recommends:
ii logrotate 3.7.8-4 Log rotation utility
Versions of packages heimdal-kdc suggests:
ii heimdal-docs 1.4.0~git20100221.dfsg.2-2 Heimdal Kerberos - documentation
-- debconf information excluded
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]