[OpenAFS-devel] Bug using krb5-1.2.2 kinit and aklog to get keytab AFS credentials

Jim Doyle doyle@theworld.com
Sat, 10 Nov 2001 10:15:07 -0500


Now that I have aklog working, I discovered another bug in the Kerberos
5 kinit tool when authenticating from a keytab rather than using a
cleartext password.  When kinit-ing from a keytab file, you will get a
vague error like this:

------------------------------------------------------------------------------
[root@prozac kinit]# ./kinit -k -t /etc/krb5.keytab wwwserver1
kinit(v5): Bad encryption type while getting initial credentials
------------------------------------------------------------------------------

The cause of the problem is that the krb5_get_init_creds_keytab() library
ftn needs a vector of supported enctypes to be initialized.. When you
apply the patch at the bottom, things will work just dandy.

Things then work as needed ; I'm using this to create persistent AFS
authentication contexts for various server process...

------------------------------------------------------------------------------
[root@prozac kinit]# ./kinit -k -t /etc/krb5.keytab wwwserver1
[root@prozac kinit]# aklog
[root@prozac kinit]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 10004) tokens for afs@example.com [Expires Nov 10 21:10]
   --End of list--
[root@prozac kinit]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: wwwserver1@EXAMPLE.COM

Valid starting     Expires            Service principal
11/10/01 11:10:54  11/10/01 21:10:54  krbtgt/EXAMPLE.COM@EXAMPLE.COM
11/10/01 11:10:55  11/10/01 21:10:54  afs@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@prozac kinit]#
-------------------------------------------------------------------------------


patch to krb5-1.2.2/src/clients/kinit/kinit.c
(from krb5-1.2.2-12.src.rpm):
==============================================================================
[root@prozac kinit]# diff kinit.c.orig kinit.c
93a94,95
> extern const struct krb5_keytypes krb5_enctypes_list[];
> extern const int krb5_enctypes_length;
728a731,732
>     krb5_enctype supported_enctypes[] = { ENCTYPE_DES_CBC_CRC };
>     unsigned int enctypes_length = sizeof(supported_enctypes);
735a740,749
>
>     /*
>      * set the list of desired enc types
>      */
>
>    krb5_get_init_creds_opt_set_etype_list(&options,
> 					  supported_enctypes,
> 					  enctypes_length);
>
>
776c790
<
---
>
785c799
<     case INIT_KT:
---
>     case INIT_KT: