[37622] in Kerberos
RE: Avoiding "KDC has no support for encryption type while getting
daemon@ATHENA.MIT.EDU (Osipov, Michael)
Thu Aug 18 06:58:34 2016
From: "Osipov, Michael" <michael.osipov@siemens.com>
To: Todd Grayson <tgrayson@cloudera.com>, Greg Hudson <ghudson@mit.edu>
Date: Thu, 18 Aug 2016 10:58:21 +0000
Message-ID: <68644224DA0DE64CA5A49838ED219A0425B8CF07@DEFTHW99EJ5MSX.ww902.siemens.net>
In-Reply-To: <CALNT6MVHxWt2YWnm-UuFn8AcO4BX89WtxKrzBBTEdpqgDzNJeQ@mail.gmail.com>
Content-Language: de-DE
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Todd,
> Michael,
>
> This does not fix your issue, its more for clarification of discussion.
>
> The "domain functional level" should be dictating the behavior of the
> aggregate AD environment. You can control the preference for encryption
> type in the krb5.conf's [libdefaults] enctype settings
> (default_tgs_enctypes, permitted_enctypes, default_tkt_enctypes).
The forest functional level is at 2 (Windows Server 2003) while
domain is at 4 (Windows Server 2008 R2).
I'd like to avoid fiddling with the enctypes on all machines because this
is a rare case.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
