[23761] in Kerberos

home help back first fref pref prev next nref lref last post

Re: default encryption types

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Apr 22 16:41:55 2005

Message-ID: <42696097.7000804@anl.gov>
Date: Fri, 22 Apr 2005 15:37:43 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: huaraz@moeller.plus.com
In-Reply-To: <200504221731.j3MHVDIQ013950@pacific-carrier-annex.mit.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu



Markus Moeller wrote:

> I do have a setup with two kdcs ( A windows and non-windows kdc ). I'd like to
> use the highest encryption type  available. The krb5.conf on my client looks like:
> 
> [libdefaults]
>     default_realm = W2K3.COM
>     default_tkt_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
>     default_tgs_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc


I think you need commas, in the list I think it is called is arcfour-hmac-md5
Try something like:

       default_tkt_enctypes = des3-cbc-sha1,arcfour-hmac-md5,des-cbc-md5,des-cbc-crc

> 
> [realms]
>     W2K3.COM = {
>         kdc = kdc.w2k3.com:88
>         kpasswd_server = kdc.w2k3.com:464
>     }
>     MIT.COM = {
>         kdc = kdc.mit.com:88
>         kpasswd_server = kdc.mit.com:464
>     }
> [domain_realm]
>     .mit.com = MIT.COM
>     .w2k3.com = W2K3.COM
> 
> 
> A kinit user@W2K3.COM gives the following error:
> kinit(v5): KDC has no support for encryption type while getting initial credentials
> 
> It works the other way round e.g. 
>    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
>    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
> 
> 
> kinit user@MIT.COM gives no error and I get a tgt.
> 
> 
> I know that MS doesn't support 3DES, but I thought if I give a list it will use
> the next highest supported encryption type. Is this a buf in MS or does the
> standard allow this behaviour ?
> 
> 
> Thanks
> Markus
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post