Bug 36542 - Heimdal ignores default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes
Heimdal ignores default_tgs_enctypes, default_tkt_enctypes and permitted_enct...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kerberos
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3
Assigned To: Arvid Requate
Felix Botner
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-10 15:30 CET by Arvid Requate
Modified: 2018-08-10 17:31 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-11-10 15:30:31 CET
In /etc/krb5.conf we set

default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes

From heimdal/lib/krb5/verify_krb5_conf.c it seems that these are ignored or at least MIT specific. The man page suggests that "default_tgs_etypes" is evaluated instead.

We should check if the current settings in /etc/krb5.conf have any effect at all or if they should be removed or adjusted to current Heimdal behaviour.
Comment 1 Stefan Gohmann univentionstaff 2017-06-16 20:39:09 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 2 Arvid Requate univentionstaff 2018-02-15 18:55:42 CET
Fixed for Bug #46292 by setting the Heimdal specific options (default_etypes, default_tgs_etypes and default_as_etypes) too.
Comment 3 Felix Botner univentionstaff 2018-02-16 11:37:49 CET
FAIL -changelog?

OK - 4.3 master + 4.2 s4 backup works
OK - correct enctype options in 4.3 
      aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5,
      des-cbc-crc, des-cbc-md5, des-cbc-md4, des3-cbc-sha1
Comment 4 Arvid Requate univentionstaff 2018-02-16 12:21:28 CET
Ok, I've added an entry to the release changelog.
Comment 5 Felix Botner univentionstaff 2018-02-16 12:23:24 CET
OK
Comment 6 Stefan Gohmann univentionstaff 2018-03-14 14:38:11 CET
UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".