As you may have seen on the krb5 mailing list [1], there was a problem with my patch [2] to limit the enctypes requested to those in the keytab.
This patch to krb5 was to help sssd work with keytabs generated by samba (which has no AES support) when used with AD running on Windows 2008 or later (which have AES support). We also patched sssd for this problem, so it can work with versions of krb5 that didn't have the a fore mentioned fix. The problem [1] was solved [3] by Greg by getting the default_tkt_enctypes and sorting the ones in the keytab first. However it seems that we cannot trivially solve this problem in our sssd enctypes code in the same way. This is due to the fact that we don't have access to the default_tkt_enctypes before hand. We have the following options: 1) Rewrite the way we kinit with a keytab. Use krb5_init_creds_init() + krb5_init_creds_set_keytab() + krb5_init_creds_get() instead of just krb5_get_init_creds_keytab(). 2) Revert my patch to sssd, and tell people to upgrade to a recent krb5 1.11.x. This breaks sssd with samba generated keytabs and Windows 2008. 3) Leave my patch in sssd, and tell people not to set default_tkt_enctypes when using sssd, which would otherwise break their setup. I realize this is a bit confusing, and hope I explained it well enough. Ping me if something doesn't make sense. Stef [1] http://mailman.mit.edu/pipermail/krbdev/2012-July/010998.html [2] https://github.com/krb5/krb5/commit/8230c4b7b7323cdef2a6c877deb710a15380f40f [3] https://github.com/krb5/krb5/commit/61659df1036d1ad6d6891293f5949e720a2028f7 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel