Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.

devel / comp.protocols.kerberos / Applying policy results in Bad encryption type

SubjectAuthor
o Applying policy results in Bad encryption typeBuzzSaw Code

1
Applying policy results in Bad encryption type

<mailman.38.1710273213.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=489&group=comp.protocols.kerberos#489

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!news.quux.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Applying policy results in Bad encryption type
Date: Tue, 12 Mar 2024 15:53:18 -0400
Organization: TNet Consulting
Lines: 24
Message-ID: <mailman.38.1710273213.2322.kerberos@mit.edu>
References: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17834"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=KYdUM+IY;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=AdbCB27w
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=YOzxnq/5BnVUlChVHL0iyJ32QLbq120uvwNpQRIvltmgFHJEDpzP8P2qrsurCH4CN892naZsr9+NW0JiP5ZgXIEZaGU0vtOjkIEKo4+S0wYWUAq9lj7JGbgXEF0veDo1wpv5daSdm0+EJ/HotjBQAXwEpm7xpHhA3OqPKBmx6dd0KpUSugjn4aeZAz70H81dcG+l6PXBlJ7voYJswJ5ct9XnMyu/pFSTnAt1LTUYf8ayqtJg14z5932jW6qfvt7ZDtzCAvidCnoEsrehyewBqszkoZLOSeq+67LnXnZwTj/PV28HvLvzKNuflm80Ey7NDDqsrn/rgWiKWpp/yWHP6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=y6m27bIszHNnT/DxAHTInYD2I7VkCIAQtlR01+XIerI=;
b=QUxst+Lczumbqt1sq+bfWczXecfNQ0+lQsItMOc8WmB5t5DttvquwUqJTOvciuV0UDsy3RAqglv8DbUJWEx28gUStpTFzigWW9KVDs4tQv5ETTMqEKOnsFFbr2u5iu34KuBqYjxS7bb9WXPvy0vhb2C5ixPTkCCWdip6h+VXynH/FkEpMMqA4VGbN6OV95LdB6n0/jX4cnnTenjyx0XLcu1YO/9liYnDZoX9hgBEUVkJ2dbXuEPDgLY78fotAPuv08veveAstPjjt3ZwihiE9ILt4ELjRADVxE4++t22awhmCIOt8gVliQzdogYXZ2Q3M2OY74kC5pJbWXt6BSL4Kw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.214.176) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=y6m27bIszHNnT/DxAHTInYD2I7VkCIAQtlR01+XIerI=;
b=KYdUM+IYVz9oPxmwcSEQIb5TlLvuICFr9zKuXnMglV/Oy2rj+lzqsFeN+NhL5e7bMFiLpUuwdx7pFoaVI2nlie9p+ODWcjgtcEnYw8q0u44zISMbfAYHs9D4LCK2kK49/SA0HQIQmOnkF5oPNq0je8F9KuFfxLQFPav6+1mUxMY=
Authentication-Results: spf=pass (sender IP is 209.85.214.176)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.214.176 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.214.176; helo=mail-pl1-f176.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710273209; x=1710878009; darn=mit.edu;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=y6m27bIszHNnT/DxAHTInYD2I7VkCIAQtlR01+XIerI=;
b=AdbCB27wyqTvLfgwU+HV39K/mss+1PEHiUhmUdleNFZJOjr+VOMw1QcWrhaLzvHcxd
MrT11F9fzzJqMoyhqSRIWHwdnEtjelRe5e3F0r8jQVor3w56byWBfYSIOi95trrZ3tUg
EwI1D5OgYBw0egp50ydbQkayMO28AHiwqcX8lTkm/VFi6XSynfkbPftETE/6c92bw2V5
qhadVEgqrGMM9FKPDTIg5bIHSR+QZ81X47Evl9jApTG++A1DcxCprREme3nZVCTPKhbf
FPN6xc3gYAFUd/FUEOBPU7v2BIXtW1NCWIOYumxzOMBMa2MEtqkvD2k8BfYmeSw0UL6w
rtxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710273209; x=1710878009;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=y6m27bIszHNnT/DxAHTInYD2I7VkCIAQtlR01+XIerI=;
b=WNwnHf0OQfFmGa6MF+AwouhRBr66nP0yuoEWjnwYQhzftpdQSWLy6KccWM4Do0mJM3
HDQccLeYbBDPNQH6/e0WsaWr4wKD3ekH1vC7X4cZebf5OzvPJTVJaHHTFmghm2VvypTi
QBIcRXaNTKHHzKJMkcdM3IO7sQWgqmx80vLPKTAqfp3ptxQE6cExQc/d+qwqoj+/n4R0
BGoNBUoACzLfOa0HQzA9GvEG4S7Uy+1fIiJDi6IipPmjsddCDbRyAmiyR2hNzKbbR2sM
cBfoOB0K3odROE4npne6Qd7pK+sEVOFnsvR3NobtAM8p6CUqsoRGjxE8E+COAON9yxlt
SmmA==
X-Gm-Message-State: AOJu0Yx90HLMn9Rr8qB+kbvJQ8jqhcf7Q11BilKypGVvvBIPfTIyw7ML
h9ckCDONCFSry2vfJdRPQdpyUOOs+35PWgj7bnCIKaY0ggzPwGEe/GkQVzAU3iyL8wOz5MOTI/R
KFLy4DbE3bmBIgYS16GvMWdYVjFMkfS3VJok=
X-Google-Smtp-Source: AGHT+IEzAhrmuea+wB9w/qKqKCm1TYK6tiDwMKMFYToFXBmawBc/m1H8e9owqNkVKl/A2nhSjRh+9d075K1k3PEUuPQ=
X-Received: by 2002:a17:903:18a:b0:1dd:7e11:6aa9 with SMTP id
z10-20020a170903018a00b001dd7e116aa9mr15223052plg.57.1710273209627; Tue, 12
Mar 2024 12:53:29 -0700 (PDT)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ1PEPF00001CDE:EE_|MW4PR01MB6451:EE_
X-MS-Office365-Filtering-Correlation-Id: 8876b8e9-5a2d-4101-8e9e-08dc42ce177c
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: PudIortH9kylXimHX7+q4WspGl2/tjJn2thVSqLnBCv6zQp9/uzdNH4gVC95tBR6RAFm4LV3213zxv/rc2V69kXHtj4xCcDaZhYkHrSL/31Jneflk4XO0JzgGGWxhNf/TbIEtFn8WQJ+zEPEpRVGfkUBaQDMhCn0kYdrHRB2JHq4da+xaA1X6+1DgtVZOlZtmuTLY2l0l5uWeAx/PlYY2f5ESdDvEILNlfx1T3PkzjnZbaidTPZy8Fwp5RkXvdCJnnvLya3sa361+oJj3IVx/n9aK0JGpFqvDsBMR5/wP3mgXBuAfEtO1Yv1d9S+Rt0mOZ+WKLUCte/N5Y2jiCeoE6iMJwdmq7qUGCUtyl7ecD89+3qaowhVHqlJMypOS+XZ/RTELXvz6HCeMdPq5/P4VfWxT1TsV0QE81CwNaIyhbd22t3RwRT398sfTwR6Rm3aCwVsigJXkpkzHmvywDYVCqFBSHPUTnoKZZO+SHJ+Ku+6/ay9gN6+VewHSaLy+3GuJb+8Rc4u4xTOzQiiriOTyDm7+9b8cY99D33KsQGmh/PpTOX2vYJC5oKIy+9KVUgOnLk5p4Ur5gJj52Sp8ClEmLEQ9pbjlvWHOiwbm77R4jF3P/PeySjMXK1O4+XjHU0fvWlo6Y+Qyy7sQQJ3s6qDB2iK6KQ65g0bGPQbIjfpd+EQB5NdyLupybO0546gUG8qY3QRCgaft7lzmA6VlgpKqqj1eQa9EFR9VF/o5dXqba8bNCaSqT61jmYHmtodBRAk
X-Forefront-Antispam-Report: CIP:209.85.214.176; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-pl1-f176.google.com; PTR:mail-pl1-f176.google.com;
CAT:NONE; SFS:(13230031)(61400799018)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2024 19:53:30.4346 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8876b8e9-5a2d-4101-8e9e-08dc42ce177c
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00001CDE.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR01MB6451
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
 by: BuzzSaw Code - Tue, 12 Mar 2024 19:53 UTC

We did a server replacement of our master KDC that had been on RHEL7
for years to finally upgrade to RHEL8. We did a dump of the database
prior to the swap, we still have the old server sitting around as
well. Principal database is on disk in old db2 style. Kerberos
version is 1.18 for RHEL8, RHEL7 version is 1.15.

Everything went smooth, except any attempt to change a password results in:

"change_password: Bad encryption type while changing password for < principal >"

Doesn't matter if it is done over the network or with kadmin.local.

If we unset the password policy for an account (modprinc -clearpolicy)
we can change the password, but this isn't ideal.

- We disabled FIPS and RHEL8 new crypto policies which gave no change

- We restored the database again, with no change in behavior.

- We removed policies from all accounts, removed all policies,
recreated all policies, and re-applied all the policies to every
account. No change.

I'm stumped and have been trying different things for about 12 hours - help ?

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor