krb5.ini file issues
You may face the following issues related to krb5.ini file. The krb5 file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. You can locate the krb5.ini file in the Windows system directory at the following location: <windows-installation-directory>\Windows\krb5.ini.
The following topics are provided:
Encryption types
You can set any tag in the configuration files which requires a list of encryption types to some combination of the following strings.
String | Encryption type |
|---|---|
des-cbc-crc | DES cbc mode with CRC-32 (weak) |
des-cbc-md4 | DES cbc mode with RSA-MD4 (weak) |
des-cbc-md5 | DES cbc mode with RSA-MD5 (weak) |
des-cbc-raw | DES cbc mode raw (weak) |
des3-cbc-raw | Triple DES cbc mode raw (weak) |
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd | Triple DES cbc mode with HMAC/sha1 |
des-hmac-sha1 | DES with HMAC/sha1 (weak) |
aes256-cts-hmac-sha1-96 aes256-cts AES-256 | CTS mode with 96-bit SHA-1 HMAC |
aes128-cts-hmac-sha1-96 aes128-cts AES-128 | CTS mode with 96-bit SHA-1 HMAC |
arcfour-hmac rc4-hmac arcfour-hmac-md5 | RC4 with HMAC/MD5 |
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp | Exportable RC4 with HMAC/MD5 (weak) |
camellia256-cts-cmac camellia256-cts | Camellia-256 CTS mode with CMAC |
camellia128-cts-cmac camellia128-cts | Camellia-128 CTS mode with CMAC |
des | The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) |
des3 | The triple DES family: des3-cbc-sha1 |
aes | The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 |
rc4 | The RC4 family: arcfour-hmac |
camellia | The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac |
You can use the DEFAULT string to refer to the default set of types for the variable in question. You can remove the types or families from the current list by prefixing them with a hyphen(-). You can use the plus (+) sign to indicate that the types or families are used and it has the same meaning as listing just the type or family. For example, DEFAULT -des would be the default set of encryption types with DES types removed, and des3 DEFAULT would be the default set of encryption types with triple DES types moved to the front.
While aes128-cts and aes256-cts are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of krb5 without AES support must not be given AES keys in the KDC database.
Salt types
Kerberos keys for users are usually derived from passwords. To ensure that the user who picks the same password do not have the same key, Kerberos 5 incorporates more information into the key using a salt. The supported salt types are as follows:
String | Salt type |
|---|---|
normal | default for Kerberos Version 5 |
v4 | the only type used by Kerberos Version 4 (no salt) |
norealm | same as the default, without using realm information |
onlyrealm | uses only realm information as the salt |
afs3 | AFS version 3, only used for compatibility with Kerberos 4 in AFS |
special | generate a random salt |
Wrong realms specified
Please, ensure that in your krb5.ini file names of realms are spelled correctly and correspond to the existent realms in your environment. Until you have the correct names, your Kerberos applications might try to connect to the wrong realm and you may have to debug the issues.