Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Little else matters than to write good code." -- Karl Lehenbauer

devel / comp.protocols.kerberos / Re: kadmin not working after server migration, but kdc works

SubjectAuthor
o Re: kadmin not working after server migration, but kdc worksWouter Verhelst

1
Re: kadmin not working after server migration, but kdc works

<mailman.101.1663746372.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=300&group=comp.protocols.kerberos#300

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: w...@uter.be (Wouter Verhelst)
Newsgroups: comp.protocols.kerberos
Subject: Re: kadmin not working after server migration, but kdc works
Date: Wed, 21 Sep 2022 09:45:51 +0200
Organization: none
Lines: 48
Message-ID: <mailman.101.1663746372.8148.kerberos@mit.edu>
References: <YynL5A9eZog8XQNu@pc220518.home.grep.be>
<03a01502-744e-d72f-d8b5-bff5e2980826@mit.edu>
<Yyn8l/Qed7tgqZqU@pc220518.home.grep.be> <871qs5yg3g.fsf@hope.eyrie.org>
<YyrBL9bEEmFayl3U@pc220518.home.grep.be>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="22542"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
To: Russ Allbery <eagle@eyrie.org>
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=uter.be
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1663746370; cv=pass;
b=XXZ6ygTi+GOMmp5vNqJuxa+CH4kvdqzAlgyK2HvFkQKUnewCniUpNGID2S/TDVS4iJzxnFfahmo4nEaJMXV+oeGvZeexZy34GjVY+5XM0U4v3HPVTFZV1M5CVb32QAyMwqH4Di3+yWLILC7V+lx17wuWyTzksoLMsnEiNwx1vnlySpJeNPR6GKR7GkCv7gZ55+0kcX245unSwEiTkgkzNe9qQbQFwIxx6dxnSShqkQCwKSgWPFrUUO40VC3f571FEQNJgWnfRL9xIYtumUJvXXG8L/EIS68sIAK0vo6JPUT3Qp7syLW6GP9bDoq0rmvKRPdXwYb2H3WzM4AefPyvzw==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1663746370;
c=relaxed/relaxed; bh=Wf2EEj2LIvO3J+aBBdiYzlB18Ae63WYkRIbisV4IN8I=;
h=DKIM-Signature:DKIM-Signature:Date:From:To:Subject:Message-ID:
MIME-Version;
b=xf5AaYsYVc9PCUvvyIRJJVQZVyCZYSvvGH+JF5G7dANYj99WMypy57P2SzlX3IKbmlPw6EZqzzwWnd/DcNJB9XNni4vh2CssG9T8Vz++/9HmPPNak31us4lFDNNVRRBU1R6PqXZVA6U5rBF0LXURZTWuyG3CLAhxQuIiitodjlpe8zd5b3mOV30APNcoZoi/BqdCiGZ8QPfDr67yoEsD+HkHE8ugXLXj5arGDQTdGGyAn89mTDtTdrGw0LzLvOjLAqKiXzizcpzlpg88XbZj2GJ2c7+cjb8uNVroF7BDNwLBMzfSxJ+tTtSR0WMPXhoTKhn6vhL75m1unP5WgzUKLw==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=tVVog9vK;
dkim=pass (2048-bit key) header.d=uter.be header.i=@uter.be header.b=cKlm0woi
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=tVVog9vK;
dkim=pass (2048-bit key) header.d=uter.be header.i=@uter.be header.b=cKlm0woi
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=jWBZosJF3FhTDjsix/kLqQWLUcw/NeE3cVnrV5jSGTiS3nTRQ8Uy0ACfrYmCRxMkNe3kTmte6ybZ9Uoz2wv06ubn/rXMWK88uS61AdM1/HKZ+CepkGdMhSMSvwD4kKEbCuMhSPKSZ5ZUecazKfnzzojgU4c2lF7TJGLeMfSbPoE4x3zBEOHD2/JD3b2TS11jOsabErkkT3YXT56+4plbzCASsOjyHAc2SQGT9XOSDExWToYCbDFCLPfuf7+Sbzw72IVj0ah54tmcOJdFVPELIgMfCwfBMvUp9Y+Ke7rqb5jOaqJ7PNA8A0qPXlQuWsDO02zDR8IHA9J9rM+L3YwfXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Wf2EEj2LIvO3J+aBBdiYzlB18Ae63WYkRIbisV4IN8I=;
b=A4F/b/knHulTB9ox3xYQxqXYLSMl+nDkX7r73gv6ozjDL2rP1NT/DBUolrIZAIskNP20AkGLHLH1gRqbSoHMyM08LhxHt6CVmUtQSNdgN8LqaTHGkB8zwgWnRudTJfiwsK751PgsZF923212rURBMDJb4qDPvyrIE6asF5uIq/LCB30hs7Os1tO0/6ZVL49Tg2WTc1l09QbGAJKDCqIagrH8DA/8XrPfCt6rKREm/a+jU1Tkg6urYAk0uWS/4k2ESRScrVWWbnxf65h2ju2h3iyHCjXh4YBIoBvw1uk+6TkqYjdDFheyhJjwOndOcHJAvlwAnJIIpYcIpo6RdP/p1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
144.76.219.42) smtp.rcpttodomain=mit.edu smtp.mailfrom=uter.be; dmarc=pass
(p=none sp=none pct=100) action=none header.from=uter.be; dkim=pass
(signature was verified) header.d=uter.be; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Wf2EEj2LIvO3J+aBBdiYzlB18Ae63WYkRIbisV4IN8I=;
b=tVVog9vKte53ePMB6oaDZXpchg1pZF5djxjjFTF0bzIcLaZmcXWpU9O1v2rYRPyblOAnzwgDL2sC7vHZfN6NjH+aPH7ezBl0jJGOYlVNMyJqDuFYA6dJxQ0ih+46W0XJPZ3IacjdccfOWCV2RrT5RuFj6lz3zGvLwFUibGU57X8=
Authentication-Results: spf=pass (sender IP is 144.76.219.42)
smtp.mailfrom=uter.be; dkim=pass (signature was verified)
header.d=uter.be;dmarc=pass action=none header.from=uter.be;
Received-SPF: Pass (protection.outlook.com: domain of uter.be designates
144.76.219.42 as permitted sender) receiver=protection.outlook.com;
client-ip=144.76.219.42; helo=lounge.grep.be; pr=C
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=uter.be;
s=2021.lounge; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=Wf2EEj2LIvO3J+aBBdiYzlB18Ae63WYkRIbisV4IN8I=; b=cKlm0woi1Pt1I33Gl9v8XIxEV3
Xi438gIia9jjRag3aT3kaqZ+eBz+HjNP8DPFoICbVZ8xv3+ri7AQ2Blt3fmigtYu9zj0BmLcm3Dh1
2x5heYrOVfn7UNGlNCF3+KuGyE0RLuDYqdA/XnBoTSAw14cJSAHmUGWwyxjYdyl3HOuR/P+mC/gH6
CfjlXf8Kh+C7Rw1NVVUDixzRUuWdsPSbjeruMehd5e8hypGQwB7Hj8q36BoIl3PDu0sAtDuDwBT8H
g1vFB/N2/3ovYcBnXnyRWMaJjcebSUVNjePT6UgRD+lfT4SRZjzlKEkZTtzVbVBkUmDiVqQK4/3Lo
vaiySF7w==;
Content-Disposition: inline
In-Reply-To: <871qs5yg3g.fsf@hope.eyrie.org>
X-Speed: Gates' Law: Every 18 months, the speed of software halves.
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT055:EE_|MWHPR01MB2288:EE_
X-MS-Office365-Filtering-Correlation-Id: 8960f760-5d07-4a8c-dab9-08da9ba55725
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IUv6Iq+R9f1QuXC1jVnfH7N6B34sG3YTB1bsTQyp5cu8b8OrqbZrQt10H/EAwqAsrf7ctdCjFqETHAdelEEESrqxoLmzop8HLLl7Br2PL9cCc9TGNgTwbgtpfW2AKOOP6tcGoZVATvwOwIk65REZYLAPsgVVnmR7n4YCFUW5xvE3n8HwqqWoPdS3kFCFoQGquPDzjPVvF/QYD/c9rA3BtCZirG7SC7G8w/GdM8UctbvjMEwX7pZM/KNKISuBQZPQPZsCXhnyidOjtyI2gtnhvCqs3yWKQZg0Fj1Bgn8P/TbjQ5D7PMJgI0cZGpJ9ism/a0TSsuT713c5u6OGKRA1s0i/Z5wFvI2JQLN0HTTardGqOH226LDhLBI1H6zWocINywZ0cb5yaDnqUC5GdxAZemq4zOYfdRbqFUEt5ZRU2maNsT3TQ8JQSIZUdBx97G43VQtlolJnup+QVNV2oDkbdfhca68moCH+iu5j4Wny21ebZR7AooSJ17dPeN2Xj+VtdwNulmNXeqlFMZ/orT+HiEez+9X01B3fR0X9FVBoFjQhZcyJl3BvhI2A4tru3uhSdnj+QDE4mBd1DyMDrpRBYec/foOav0jnv+mLlIishsrDpExHCXhtZiXPzhuzZAr6NB/O03mXcQ62ZmcwWcg7W/58swQVqANl3d7oqgWzdwVK7oX7RgH6HSYcPMC7u7Xd8cmXL+HTQRVRTh5bCwKJmGL4tqWM6K7J7oUsrzIOQm9bwjVmsW2ngZw+Um/v3mJuDIg4qxcd5nCdwX5WgGH4sQ==
X-Forefront-Antispam-Report: CIP:144.76.219.42; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:lounge.grep.be; PTR:lounge.grep.be; CAT:NONE;
SFS:(13230022)(4636009)(136003)(396003)(376002)(39860400002)(346002)(451199015)(68406010)(8676002)(70586007)(5660300002)(9786002)(86362001)(9746002)(786003)(316002)(426003)(4326008)(36916002)(356005)(7596003)(336012)(9686003)(7636003)(26005)(498600001)(83380400001)(6862004)(2906002)(49246003)(88636004)(49092004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Sep 2022 07:46:06.0354 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8960f760-5d07-4a8c-dab9-08da9ba55725
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT055.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR01MB2288
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <YyrBL9bEEmFayl3U@pc220518.home.grep.be>
X-Mailman-Original-References: <YynL5A9eZog8XQNu@pc220518.home.grep.be>
<03a01502-744e-d72f-d8b5-bff5e2980826@mit.edu>
<Yyn8l/Qed7tgqZqU@pc220518.home.grep.be> <871qs5yg3g.fsf@hope.eyrie.org>
 by: Wouter Verhelst - Wed, 21 Sep 2022 07:45 UTC

On Tue, Sep 20, 2022 at 12:56:51PM -0700, Russ Allbery wrote:
> Wouter Verhelst <w@uter.be> writes:
> > On Tue, Sep 20, 2022 at 11:43:40AM -0400, Greg Hudson wrote:
>
> >> From experience, this probably means you have a single-DES enctype
> >> listed in supported_enctypes and are using release 1.18. (In 1.17 or
> >> previous the enctype would be recognized; in 1.19 or later the library
> >> would ignore the enctype rather than failing out.) Remove the
> >> single-DES enctype and kadmind should start working again.
>
> > So, supported_enctypes is not even in the krb5.conf file; I assume that
> > means it then reverts to defaults?
>
> That's your krb5.conf, but the error message is about your kdc.conf
> (/etc/krb5kdc/kdc.conf). It has its own separate supported_enctypes
> setting.

My kdc.conf currently looks like this:

-----
[kdcdefaults]
kdc_ports = 750,88

[realms]
GREP.BE = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
default_principal_flags = +preauth
default_principal_expiration = 0
}
-----

Adding a line "supported_enctypes = DEFAULT" in either the "kdcdefaults"
or "GREP.BE" section did not fix the issue.

It might be the "master_key_type" thing? But the issue exists in 1.17, too.

--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

I will have a Tin-Actinium-Potassium mixture, thanks.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor