On Sat, 2012-02-25 at 09:35 -0500, John Dennis wrote:
> On 02/25/2012 09:20 AM, Simo Sorce wrote:
> > Use -e to see what enctypes are reported.
> Is this difference in any way related to s4u2proxy or did the extra 
> enctypes show up because we upgraded Kerberos and picked up other 
> unrelated behavior at the same time.

No, the contents of the keytab have nothing to do with day to day
Tickets and TGTs are stored in your ccache.

> Why do we now have all these enctypes? Is it to satify forwarding/proxy 
> when you don't know a prori which enctype the foreign endpoint will require?

Because in kerberos each principal can have multiple keys, generally one
per supported (by the KDC) enctype. This is so that a client can use the
strongest enctype it has crypto support for.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to