Subject: WARNING: Heimdal Krb5 interoperability issue as of 2/11/2001
To: None <current-users@netbsd.org>
From: Jason R Thorpe <thorpej@zembu.com>
List: current-users
Date: 03/07/2001 19:32:45
For those of you using Heimdal for your KDC and for the clients
in your realm, the update of Heimdal in the NetBSD source tree
from 0.3a to 0.3e causes an interoperability problem between
new Heimdal clients and an older KDC.  The issue appears to be
the inverse of an interoperability problem between Heimdal 0.3a
and MIT Kerberos 5 KDCs (the change likely made Heimdal clients
communicate properly with MIT KDCs).

You will get "Decrypt integrity check failed" when you attempt to
use your TGT for anything.  This is easily demonstrated using
"kinit -4" (which acquires a TGT, then uses the 5to4 service to
convert it to a Kerberos 4 ticket), e.g.:

dr-evil:thorpej 405$ kinit -4
thorpej@SHAGADELIC.ORG's Password: 
kinit: converting creds: Decrypt integrity check failed
dr-evil:thorpej 406$ 

You can work around it on updated clients by placing:

	default_etypes = des-cbc-crc

in the [libdefaults] section of your krb5.conf file.  Note that this
should only be done as a work-around -- you should update your KDC,
because that enctype isn't all that great.

(Assar -- this means that the Heimdal update should probably be pulled
up into the netbsd-1-5 branch, since -current clients talking to a 1.5
KDC are kind of screwed).

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>