Re: Kerberos V5 refuses authentication because Kerberos?checksum?verification failed: Bad encryption type

Sat, 16 Feb 2008 06:03:07 -0800 

Kevin Coffman wrote:
> >  > > What could be the reason that I cannot telnet from
> >  > > FreeBSD to Solaris 10
> >  > > with the following error:
> >  > >
> >  > > Connected to oracle.sibptus.tomsk.ru.
> >  > > Escape character is '^]'.
> >  > > [ Trying mutual KERBEROS5
> >  > > (host/[EMAIL PROTECTED])... ]
> >  > > [ Kerberos V5 refuses authentication because
> >  > > Kerberos checksum verification failed: Bad
> >  > > encryption type ]
> >  > > [ Trying KERBEROS5
> >  > > (host/[EMAIL PROTECTED])... ]
> >  > > [ Kerberos V5 refuses authentication because
> >  > > Kerberos checksum verification failed: Bad
> >  > > encryption type ]
> >  > > Password:
> >  > I believe that solaris (as as solaris 9) only supports
> >  > des-cbc-crc encrypion.
> >
> >  Actually, there *is* a des-cbc-crc key in the keytab, why wouldn't it just
> >  use it?
> >
> >  # klist -e -k /etc/krb5/krb5.keytab
> >  Keytab name: FILE:/etc/krb5/krb5.keytab
> >  KVNO Principal
> >  ---- 
> > -----------------------------------------------------------------------
> >    1 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
> >    1 host/[EMAIL PROTECTED] (etype 2)
> >    1 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5)
> >    1 host/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1)

> probably because your client is getting a Triple DES service ticket
> from the KDC, since that would be the strongest encryption type [that
> it thinks the service supports].  If the Solaris machine can only do
> DES, then re-issue the keytab with only a DES key:

> ktadd -e des-cbc-crc:normal ost/[EMAIL PROTECTED]

OK, I did
del_enctype host/oracle.sibptus.tomsk.ru des-cbc-md4 des-cbc-md5 des3-cbc-sha1
in kadmin and transferred the keytab anew. Now I have:

# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
#       

But the problem remained. Any more ideas?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to