>>>>> "shaun" == <[EMAIL PROTECTED]> writes:
shaun> I've noticed this message in our logs on our master KDC machine: shaun> BAD_ENCRYPTION_TYPE: blah blah KDC has no support for encryption type Are these for TGS_REQ or AS_REQ transactions? Can you show us some excerpts from your logs? Are you experiencing actual client failures? Note that the GSSAPI library will attempt to request a des3 ticket session key for the service ticket regardless of whether there is a des3 key for that service principal. This can result in the logging of many "no support for encryption type" in the logs, which should not be alarming. (Yes, it's broken for other reasons, but let's not get into the details of that right now.) shaun> The /etc/krb5.conf file on both the KDC and the clients contains shaun> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc shaun> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc What's in permitted_enctypes on the KDC? shaun> In kdc.conf on the master I have: shaun> support_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 shaun> des:norealm des:onlyrealm des:afs3 That should be ok, though it should be spelled "supported_enctypes". Admittedly, there shouldn't be quite that many enctypes listed, but we need to modify our example config files to be more sane along those lines. ---Tom
