Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The only thing necessary for the triumph of evil is for good men to do nothing. -- Edmund Burke

devel / comp.protocols.kerberos / Re: Applying policy results in Bad encryption type

SubjectAuthor
o Re: Applying policy results in Bad encryption typeBuzzSaw Code

1
Re: Applying policy results in Bad encryption type

<mailman.40.1710274943.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=491&group=comp.protocols.kerberos#491

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: buzzsaw....@gmail.com (BuzzSaw Code)
Newsgroups: comp.protocols.kerberos
Subject: Re: Applying policy results in Bad encryption type
Date: Tue, 12 Mar 2024 16:22:07 -0400
Organization: TNet Consulting
Lines: 41
Message-ID: <mailman.40.1710274943.2322.kerberos@mit.edu>
References: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
<202403122012.42CKCRvn005732@hedwig.cmf.nrl.navy.mil>
<CAJhaRZKW0shdvBDfUi1u=OdMk8TZDyF76F6Dk5bdoSKBNxgSfQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="23477"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=XLfFOqcf;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=ccxbS/pP
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=YRKNfMNWVZcnb9CirIbFWentF2qAXIu9A9zs+SmBE3bk4Vu4xrqgavxRnRDFBrX/Ftducb80Frv4LKFWiPvmYqzrZsjm1F31ld8/YICULhGoPJwxEunR2Hd3MY15T3rCJdZ3Uyd2c18dGzpxknyulqAEKIkENGIKzgO3aruJI5lmX1CRjTKjIgs58jK8gS5leVHH5FDFnM919dwKTvTnSTBydW7AAHL9WuRt7Im1o1PJjY0SN1/aHcVU9NkoBdEzCFOiGnWU/IkRzxyOUEvm8GgkV0Ez0aD1+tGi3LSFyn92eznMBmDKGIqS/n9BvP48xpKB8LmG0lyEnVpBfcN1fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=O4/NfKOYI7nqruXDPW4Lg60OavEblw/zEi6mpIDfXBE=;
b=RJvUgm4uqJjd8shTX66KCtWcyCG8fvK/l8atDbulCv5l/upf+AcRjVgwK6ir7f4ocG27kSMkdYw8VyyiRKShudznzBxH+AQt4kMVPCfSSoe8wnaTkE/KkeXAkqYuMxPknEEP8BTFnoZhcKTTyqFgqW6bCexH0FY9SCpyN0njf/HRmXSl0FHvG28OMUPSMozKFHAXFooAznkJ5+U1PctYUHXajapirEm9mAsOyqw4BG3R3LOOjJN/Kym6MYZXrdi4To70lIUw5XiJ6kCz5cyetzbQPHvRv/yVFj1mhCLMBIcZQAOThqZBnQtPMSWSDpe+jeO3JF2YeBQCy4ZfwAxnbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.216.49) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=O4/NfKOYI7nqruXDPW4Lg60OavEblw/zEi6mpIDfXBE=;
b=XLfFOqcfFveAHsuw2kxrbIYFMcowaLhXwDDfNpstL4IeMzyiE0mOpWwhX1+RJNvqa8QuRERhK86DrpsHXzCOBT3kpxBxWThFxnIyOGH674EzwNFapwn4pRsOzxk5eUHCLHM1VU3j73ZLzCxeGmQ3FjKfmKResNyOJbGyQ8oCTzw=
Authentication-Results: spf=pass (sender IP is 209.85.216.49)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.216.49 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.216.49; helo=mail-pj1-f49.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710274938; x=1710879738; darn=mit.edu;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=O4/NfKOYI7nqruXDPW4Lg60OavEblw/zEi6mpIDfXBE=;
b=ccxbS/pPwQ8ZzFizvpXt4G/CWZJTflF3HXH8zSnAAhXK0w1ZffRewwk0RiisY38ODL
zjQYzzPJ7SPR45W1cCqxujB7ysfeeHcJc3VOZ+RacRuNL7WoIsNfsd9J/kEGVD+vhs9l
nJfEkenxNnxWN9m4uMUNWJaNiGzop2r8cB6LSfG3auP04OxayDHQjj7trQkVx6Blt6jd
o/3cCqPNiiauv1Qo6LJkQyW9nOJcrTLGS1ue+18L05EHPDjPAgPQppQcYpY5rCsXy0vb
X+LkSHjd8GjydK4jVoOByM2apPOKA8MSKYMCyWD1YD2KsBsFB5zQbNYtmuhAggxZArRS
axsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710274938; x=1710879738;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=O4/NfKOYI7nqruXDPW4Lg60OavEblw/zEi6mpIDfXBE=;
b=gRFWVXohEcVSRkcQ2FLWEMa11pDrkUD3FNy2IndK3JAYyhWczs1LM/HwTT4n2aNzFZ
wJbchQQg2it95rDwSSdoNr8n6xTeMpeme6RMQqU2ZLaw0ny7iWepMGWrU3adz1dm9DRu
ZcddKqmRPRC823FNFw/VHAci6EuSgFrCZl43UxvlWPEC/xbzgwntc1aE4GaabfyCWics
PSCmWSjgZX4Pc3hvx7nFmoWF3K7fJGNNFvN3RsNLtfkucyqs3s5vEAOTKS1ji227hU4Q
8ErxMWRIzItlXMtvT0W1qUB5iycLKzZ4wmEzRfvmnQN8U8z0sLO40I7AP+/Ku6muid6E
N0Ww==
X-Gm-Message-State: AOJu0YwMs8bt6avoOiRplt+dsq7e8OSW83Tij8fVVWfnFuDdBnvG1QD/
NtD5gfFwfDpG/o47lfwTT3vIFwg1r0PkMSjsLTvLScvyZ2IvgoxD3G/4vE9xvVz8szqRqzNU4dU
VWxBkP8bnW5/fdaGUbq4V5PI/NvNF+h/8
X-Google-Smtp-Source: AGHT+IFO9CVLxfMHWNPQLm/kcASkKUsERvVVNV/aOeQspVvauTKHLO9xGlWzDl100Oe7jcEdCX7blXlnvh9EYFCfDQM=
X-Received: by 2002:a17:90a:db8c:b0:29b:aec3:6de7 with SMTP id
h12-20020a17090adb8c00b0029baec36de7mr7825443pjv.1.1710274938360; Tue, 12 Mar
2024 13:22:18 -0700 (PDT)
In-Reply-To: <202403122012.42CKCRvn005732@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0DE:EE_|SJ2PR01MB8658:EE_
X-MS-Office365-Filtering-Correlation-Id: e34cee14-c21e-4865-bf0a-08dc42d21e07
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: X74NCepmn5uD+/ocr2xUgxWh6gNca7yMNesytJHi50Jc9HftZlumyPYhVZHFySSDjbrYzG4R+o+ebAjwwYEfH8O0mAVRydAjEJLqqMawlCTLhs5LXzDRNEFE/LTWmpEhcDxEVF7t21BF4pzoc7/5W/ezf7DI/iDzgwL7hq19UmVBPEL24YR3qLiTpT4xoiS1sfcNVRtAltHUc4L1/EAa3ro0+jduiSQR4mv5MTzV4RFCI0wZSIaOIwyFYrH+flBBg3fO8bOpth4EM/tGx65yV9pLYGDtJdPYLvH2uaSDNwHGqJMAOBsmd0nBw6KUWoGr0g2R2oWgc/ga36ydz8ZsBKUueCoLnsMV6pJxwZGHeZL09Ri7q9usQhR0WQiJFlk1Bbl2nyGDfRgY70J4cXNdmwS/Csprtpz4EUfoa2LKy7NOD4YcE7GiPj/6RPeSRw7yQ+dmey0YXOtQDzn2Y3KCOW3oxsxCK1wSlLo3h3a8eVDmLoDl11xUpeonPHJa+Y9Fmu8InMaY7arNIIL765FtaCaWZLVF1JuTcI6AkROSQjJCLCG06smAaFgCTgQVqSfqXQvX0FMi8eSmNr0vYI9f8SqmVO7BdX8LLj3zLPgKcS49IYqVnFgUeXOhxBvZMX/gNxRBvOUPBLbGBiyE0dyUvbOOaz5pohHDnHdBwgAtyWDHGkvM4MsDoC3RU3c120+J
X-Forefront-Antispam-Report: CIP:209.85.216.49; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-pj1-f49.google.com; PTR:mail-pj1-f49.google.com;
CAT:NONE; SFS:(13230031)(61400799018)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2024 20:22:19.4157 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e34cee14-c21e-4865-bf0a-08dc42d21e07
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0DE.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR01MB8658
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
42CKMLYn1134565
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAJhaRZKW0shdvBDfUi1u=OdMk8TZDyF76F6Dk5bdoSKBNxgSfQ@mail.gmail.com>
X-Mailman-Original-References: <CAJhaRZ+GrY5GotYxSN0CJQZ1aVmUwcoNFFSQo6oskfqFLKuB9w@mail.gmail.com>
<202403122012.42CKCRvn005732@hedwig.cmf.nrl.navy.mil>
 by: BuzzSaw Code - Tue, 12 Mar 2024 20:22 UTC

You nailed it - we dropped DES and switched to AES keys everywhere
else a long time ago but somehow missed that.

Thank you!

On Tue, Mar 12, 2024 at 4:12 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >We did a server replacement of our master KDC that had been on RHEL7
> >for years to finally upgrade to RHEL8. We did a dump of the database
> >prior to the swap, we still have the old server sitting around as
> >well. Principal database is on disk in old db2 style. Kerberos
> >version is 1.18 for RHEL8, RHEL7 version is 1.15.
> >
> >Everything went smooth, except any attempt to change a password results in:
> >
> >"change_password: Bad encryption type while changing password for < principal >"
> >
> >Doesn't matter if it is done over the network or with kadmin.local.
>
> What is the key type of the password history principal? That is in your
> database as kadmin/history@REALM.
>
> If it's something like single-DES, then that's your problem because
> the old keys are encrypted in the database with the history key and
> "Bad encryption key" is coming from the attempt to check the password
> history. If that's the case then you can change the history key to a
> modern algorithm using the command detailed here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-history-key
>
> But as detailed there that will invalidate your password history (much
> like modprinc -clearpolicy).
>
> In THEORY you could do some mangling on the database dump and try to
> re-encrypt the old keys with a new key; when I ran into this situation I
> decided that I didn't care THAT much about the old password history and
> I didn't bother doing that.
>
> --Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor