Thursday, May 20, 2010

Heimdal 1.3: BAD_ENCRYPTION_TYPE

Solution:

Edit the Kerberos configuration file (for me it's /etc/krb5.conf), and add this line in the [libdefaults] section:

allow_weak_crypto = true

Details:

More of the same... (see my posts on Berkeley DB) I compiled the latest version of Heimdal Kerberos the other day (it's the recommended flavor of Kerberos to use with OpenLDAP), and after getting everything set up, I would get these errors when trying to run LDAP searches:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (encryption type 2 not supportedt))

(sometimes it also said encryption type 1 not supportedt, again with the t on the end of supported)

My first thought was maybe I didn't have a valid Kerberos ticket, but when running kinit, I would get this:

kinit: krb5_get_init_creds: BAD_ENCRYPTION_TYPE"

Google searches on those terms didn't get me far, but after looking through the Heimdal documentation, I realized they deprecated support for DES encryption in Heimdal 1.3. The solution I discovered for enabling it again is posted above.

Et voila! Back in business.

More information: DES will die in Heimdal 1.3

1 comment: