On Sat, 2012-02-25 at 09:35 -0500, John Dennis wrote:
> On 02/25/2012 09:20 AM, Simo Sorce wrote:
> > Use -e to see what enctypes are reported.
> Is this difference in any way related to s4u2proxy or did the extra
> enctypes show up because we upgraded Kerberos and picked up other
> unrelated behavior at the same time.
No, the contents of the keytab have nothing to do with day to day
Tickets and TGTs are stored in your ccache.
> Why do we now have all these enctypes? Is it to satify forwarding/proxy
> when you don't know a prori which enctype the foreign endpoint will require?
Because in kerberos each principal can have multiple keys, generally one
per supported (by the KDC) enctype. This is so that a client can use the
strongest enctype it has crypto support for.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list