[23761] in Kerberos
Re: default encryption types
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Apr 22 16:41:55 2005
Message-ID: <42696097.7000804@anl.gov>
Date: Fri, 22 Apr 2005 15:37:43 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: huaraz@moeller.plus.com
In-Reply-To: <200504221731.j3MHVDIQ013950@pacific-carrier-annex.mit.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Markus Moeller wrote:
> I do have a setup with two kdcs ( A windows and non-windows kdc ). I'd like to
> use the highest encryption type available. The krb5.conf on my client looks like:
>
> [libdefaults]
> default_realm = W2K3.COM
> default_tkt_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
I think you need commas, in the list I think it is called is arcfour-hmac-md5
Try something like:
default_tkt_enctypes = des3-cbc-sha1,arcfour-hmac-md5,des-cbc-md5,des-cbc-crc
>
> [realms]
> W2K3.COM = {
> kdc = kdc.w2k3.com:88
> kpasswd_server = kdc.w2k3.com:464
> }
> MIT.COM = {
> kdc = kdc.mit.com:88
> kpasswd_server = kdc.mit.com:464
> }
> [domain_realm]
> .mit.com = MIT.COM
> .w2k3.com = W2K3.COM
>
>
> A kinit user@W2K3.COM gives the following error:
> kinit(v5): KDC has no support for encryption type while getting initial credentials
>
> It works the other way round e.g.
> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
>
>
> kinit user@MIT.COM gives no error and I get a tgt.
>
>
> I know that MS doesn't support 3DES, but I thought if I give a list it will use
> the next highest supported encryption type. Is this a buf in MS or does the
> standard allow this behaviour ?
>
>
> Thanks
> Markus
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos