[23760] in Kerberos

home help back first fref pref prev next nref lref last post

default encryption types

daemon@ATHENA.MIT.EDU (Markus Moeller)
Fri Apr 22 16:17:49 2005

Message-Id: <200504221731.j3MHVDIQ013950@pacific-carrier-annex.mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Mime-Version: 1.0
From: Markus Moeller <huaraz@moeller.plus.com>
To: kerberos@mit.edu
Date: Fri, 22 Apr 2005 18:42:22 +0100
Reply-To: huaraz@moeller.plus.com
Errors-To: kerberos-bounces@mit.edu


I do have a setup with two kdcs ( A windows and non-windows kdc ). I'd like to
use the highest encryption type  available. The krb5.conf on my client looks like:

[libdefaults]
    default_realm = W2K3.COM
    default_tkt_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc

[realms]
    W2K3.COM = {
        kdc = kdc.w2k3.com:88
        kpasswd_server = kdc.w2k3.com:464
    }
    MIT.COM = {
        kdc = kdc.mit.com:88
        kpasswd_server = kdc.mit.com:464
    }
[domain_realm]
    .mit.com = MIT.COM
    .w2k3.com = W2K3.COM


A kinit user@W2K3.COM gives the following error:
kinit(v5): KDC has no support for encryption type while getting initial credentials

It works the other way round e.g. 
   default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
   default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc


kinit user@MIT.COM gives no error and I get a tgt.


I know that MS doesn't support 3DES, but I thought if I give a list it will use
the next highest supported encryption type. Is this a buf in MS or does the
standard allow this behaviour ?


Thanks
Markus


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post