On Tue, Mar 28, 2006 at 07:29:14PM -0800, Russ Allbery wrote: > "Douglas E Engert" <[EMAIL PROTECTED]> writes: > >> 4) /etc/krb5/krb5.conf is the standard one from campus and includes: > >> default_tgs_enctypes = des-cbc-crc > >> default_tkt_enctypes = des-cbc-crc > > > You may want to take these last two likes out, as it might be forcing to > > only accept DES, even though the KDC and the client think it can do > > better. > > That's the only thing that our KDC, right now, is going to be willing to > do. That's changing slowly, but not yet for host/* principals.
Just because your principals only have 1DES long-term keys doesn't mean that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact, you shouldn't. These parameters are intended to protect the client from pre-autenticating using weak ciphers; 1DES being the weakest cipher Kerberos V supports it really makes no sense to use these parameters in your case. Besides this you're almost certainly running into: 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required I've Cc'ed Will Fiveash, who's more familiar with that CR. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
