Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The autodecrement is not magical. -- Larry Wall in the perl man page


devel / comp.protocols.kerberos / Re: Applying policy results in Bad encryption type

SubjectAuthor
o Re: Applying policy results in Bad encryption typeKen Hornstein

1
Re: Applying policy results in Bad encryption type

<mailman.39.1710274353.2322.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=490&group=comp.protocols.kerberos#490

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Applying policy results in Bad encryption type
Date: Tue, 12 Mar 2024 16:12:27 -0400
Organization: TNet Consulting
Lines: 33
Message-ID: <mailman.39.1710274353.2322.kerberos@mit.edu>
References: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
<202403122012.42CKCRvn005732@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="21999"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: BuzzSaw Code <buzzsaw.code@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=Mara2hQR;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=L7yWVign
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ELlCQI0ye6FRlBc8zB9pL3U7ap/e4aZPpZm30BEAY3CQE3XjAiB7kBd3vFBEciuHTaUJIzthdOf5nPPIHy/OuGtn+CusfpOvy64gDJxlIGdUOSsVVNx1U9iqm7eGu2R6UgQHeHjQYOfAKFQ5Fyh3mvKUk+KKAN0im6DaR7zCdEfWEvqjb5uwYUSo1j9HP5OQGkfF0QGEDI/sFMlEq3MAnwaEZWm5Ogz1AxQsCREqmMznLkioQp0LXpZPqUnsZOYOU2d6vi+wyJADPk5BvdAG8VigJqkHM+e5telAxcKCU1WvG6Z6uKkz1PbuZhwHFi1ETMPE4On0ezz0K8rlY8WTNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/jPdi7GMJe+WYlqe32LB27Zlsw5bGsTcY2sMtf3cwXs=;
b=OywppAP5wycjO/lG8yLQOjtvgYizwEhSjGFeNaZJMSuABTy6IVg0IrQ77KEux8jXP4z4br0CWZyqY8ecZyXc/Humzc4+VFeqyS6mD1wD1pZDP+MrPZIFhXBvEa2mbBwHasV1iudVyq73U0MP7m6qhfeChWjVf2iwXb5qs8x2nQPgCRRtJPq9tfx8gFf43fFs9kPh9kYQtrXwd0nW4MqPrq4ggW/tIeT0dNxneAVVxxNawCYZwuTt/cvhwQeL3PIqfu2qKsmRmuexjzHFw753ePUmbYHAyC2oqE2a8RsA3cZO9taMvELN1WmJpQuLQrpBuoSLSGmNreXzJdee+YqDkg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=/jPdi7GMJe+WYlqe32LB27Zlsw5bGsTcY2sMtf3cwXs=;
b=Mara2hQRJvP8CZntaJF3vt9aIrkm5konqllTmbieVyIuAVZzt/nsMSfx9khCvOxy9+SizMoAOmT8jjKf6NvuVEs+RzLvU3ThCwKz+pqYiQTyakdP9aQLKFE7mxNz/jPoHxZ2Z1n4fKbbZ4yY0yTJl17EYQ0+zKLQVJqM8yPlsII=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: content-transfer-encoding : date; s=s2.dkim;
bh=/jPdi7GMJe+WYlqe32LB27Zlsw5bGsTcY2sMtf3cwXs=;
b=L7yWVignaI12P3KbABbIRhsMRGInXFbzUKx3ypJ7Tv6k9mFw5TgoUsQqHhLAYZwKUXfe
F+42FGTQYCiCmyovzVZxRgY6EHhpqJSgiqO8HJWRslb84ohKtzUxHLfSpMS6Sksv6ITH
IlFO92T5ENhuoV2Ikrl6enuMAvGkyePKgsyv69V3jmlHzEBJAscbx+RPhpLXOejM/rxp
1Qz7gg6WLpDfH7bjd+lpdhiLYq4zuO21IaHRJsPq1rPv7UkYiysDZus4zwJzPn1OnVTB
rKh8l3iHg6RPDrIwzSbne2L4Y7I08lN1VKlUpIxSTuCmuDpxbuORjJz2dcmyryzCr5cR 9A==
In-Reply-To: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS1PEPF00017093:EE_|LV2PR01MB7791:EE_
X-MS-Office365-Filtering-Correlation-Id: 2e3d2981-bb38-407b-ebab-08dc42d0bed3
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: e2Egfirrs/2/wpWbWcTVHO1XT0mFnRBO2Vq6k4HdgPgPwiDuMFqI7TImFxIYwhD45ZDKKs6bOhFgcXXXwg/69ZiEdaQarx3QK/HH/30CRwXCIxLNE01JcogZqBt9E6K3RzfzKR4BeT+IIIq8U/fDwhJYGXnoGJdbxpyfh4Y+fEFfUOTdb+uXxtHI06Xjto2YxgPioqQ8Lx2SALmGiQIWHjvVcFjF5pQ6d8ai4ecKTYNM30V+dJe3aTBaPbbybWH4upfzFrbrYOYvgPsnzWVY0Y7WF1hXpknG+bDxgqO5apfMWd+FCE4/kgUrCNrbMJTdgvsdl4HR3TxKePLteq/LV0niSgPSrwqZDWJrZE+tyE0P0i1B+QkLXbOAEbpMrUhFpUHZA3gANaf8ivGb/tWk5StWNLN9yzFK76Frq9US5tGUNXXNoQ0xQb/IEJfqxMrWp5LibISJ+790eUsGn4sxAyfKAi8SfLd+ZgrKromQ3H3RI9xvU+1xfjJ63iyx7wHqAEfZIj9GkV9D951b/wkq7FunX3lXzP78jAbkbkipEt7X81u8Jtqdm/NgeoHoz+ylBKDMY+TMiiolRqjbaF16XPan3zrTNtKwUq19P01EG0UhFnqyq0K2+UImbdcRbfFoW62knPuC+mI3F5SkvHyoLdgRSWgTFznhzescS/d9SRXBzSghdcG8TMvxDCUCh1AR
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230031)(61400799018)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2024 20:12:30.1020 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e3d2981-bb38-407b-ebab-08dc42d0bed3
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF00017093.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR01MB7791
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
42CKCWZU1131074
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202403122012.42CKCRvn005732@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
 by: Ken Hornstein - Tue, 12 Mar 2024 20:12 UTC

>We did a server replacement of our master KDC that had been on RHEL7
>for years to finally upgrade to RHEL8. We did a dump of the database
>prior to the swap, we still have the old server sitting around as
>well. Principal database is on disk in old db2 style. Kerberos
>version is 1.18 for RHEL8, RHEL7 version is 1.15.
>
>Everything went smooth, except any attempt to change a password results in:
>
>"change_password: Bad encryption type while changing password for < principal >"
>
>Doesn't matter if it is done over the network or with kadmin.local.

What is the key type of the password history principal? That is in your
database as kadmin/history@REALM.

If it's something like single-DES, then that's your problem because
the old keys are encrypted in the database with the history key and
"Bad encryption key" is coming from the attempt to check the password
history. If that's the case then you can change the history key to a
modern algorithm using the command detailed here:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-history-key

But as detailed there that will invalidate your password history (much
like modprinc -clearpolicy).

In THEORY you could do some mangling on the database dump and try to
re-encrypt the old keys with a new key; when I ran into this situation I
decided that I didn't care THAT much about the old password history and
I didn't bother doing that.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor