[29787] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add caveats to krbtgt change documentation
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Dec 13 12:43:17 2016
Date: Tue, 13 Dec 2016 12:43:13 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201612131743.uBDHhDNv025568@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/56d05e87858b672591c1e6b7869cb08e8b1e0d59
commit 56d05e87858b672591c1e6b7869cb08e8b1e0d59
Author: Greg Hudson <ghudson@mit.edu>
Date: Sun Dec 4 18:34:41 2016 -0500
Add caveats to krbtgt change documentation
In database.rst, describe a couple of krbtgt rollover issues and how
to avoid them.
ticket: 8524 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
doc/admin/database.rst | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 078abc7..b693042 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -765,6 +765,24 @@ database as well as the new key. For example::
with older kvnos, ideally first making sure that all
tickets issued with the old keys have expired.
+Only the first krbtgt key of the newest key version is used to encrypt
+ticket-granting tickets. However, the set of encryption types present
+in the krbtgt keys is used by default to determine the session key
+types supported by the krbtgt service (see
+:ref:`session_key_selection`). Because non-MIT Kerberos clients
+sometimes send a limited set of encryption types when making AS
+requests, it can be important to for the krbtgt service to support
+multiple encryption types. This can be accomplished by giving the
+krbtgt principal multiple keys, which is usually as simple as not
+specifying any **-e** option when changing the krbtgt key, or by
+setting the **session_enctypes** string attribute on the krbtgt
+principal (see :ref:`set_string`).
+
+Due to a bug in releases 1.8 through 1.13, renewed and forwarded
+tickets may not work if the original ticket was obtained prior to a
+krbtgt key change and the modified ticket is obtained afterwards.
+Upgrading the KDC to release 1.14 or later will correct this bug.
+
.. _incr_db_prop:
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
