Kerberos auth doesn't work after updating OpenJDK

What happened

After upating java-11-openjdk-11.0.10 to java-11-openjdk-11.0.17, the Java Kerberos client didn't work anymore. The error message was like below.

Authentication failed: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE

Root cause

The newer version JDK's Kerberos module deprecated and disabled some weak cryptos by default, while the KDC is quite aging and still using one of those disabled cryptos.

Solution

The easist way to solve this problem is to enable the dprecated weak cryptos in JDK's Kerberos module by adding one line "allow_weak_crypto = true" to /etc/krb5.conf.

$ cat krb5.conf

[libdefaults]

        default_realm = UTORONTO.CA

        allow_weak_crypto = true