Thanks all for the help in getting me this far.
(by using:
supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm \
des-cbc-md5:onlyrealm des-cbc-crc:v4
in my kdc.conf).
Now, in my kdc.log I'm seeing these requests from the VPN server:
Oct 10 06:59:35 kerberos-1.iastate.edu krb5kdc[9196](info): \
AS_REQ (7 etypes {3 1 2 16 8 23 0}) 129.186.97.220(88): \
ISSUE: authtime 1065787175, etypes {rep=3 tkt=1 ses=1}, \
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
I assume the 'AS_REQ (7 etypes ...' means it will accept keys with any
of those 7 enctypes. (I have no idea what enctype 23 is as it is not
in krb5.h but I'll assume that is unimportant.)
The reply 'ISSUE: ... etypes {rep=3 tkt=1 ses=1}' is not something
I understand completely though (and it seems to be unacceptable
to the VPN).
I assume that means that:
* the reply itself is encrypted using ENCTYPE_DES_CBC_MD5(#3),
* the ticket inside the reply is using ENCTYPE_DES_CBC_CRC(#1),
* as is the session key
Correct?
How is it decided what enctype is used for the
reply, ticket, and session key?
Is it a reasonable guess that the VPN wants the tkt to be enctype#3 too?
If so, how to make this happen?
Thanks,
John
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
