>>> 4) /etc/krb5/krb5.conf is the standard one from campus and includes: >>> default_tgs_enctypes = des-cbc-crc >>> default_tkt_enctypes = des-cbc-crc > >> You may want to take these last two likes out, as it might be forcing to >> only accept DES, even though the KDC and the client think it can do >> better. > >That's the only thing that our KDC, right now, is going to be willing to >do. That's changing slowly, but not yet for host/* principals.
As someone who spent years tracking down problems related to those damn lines in krb5.conf .... trust me when I say that you want to start removing those configuration options _now_. 99.9% of the time you don't need those options, and they're just going to cause you trouble eventually. I never distributed a krb5.conf file with those options, but somehow people out there ended up with those options in it, and it caused us no end of problems when we ditched single-DES (I think some ancient version of MIT Kerberos had those in a sample config file, so people unwisely copied those into their config file because they used the sample config file as a template it just got copied around over the years because people "thought that they needed it"). You've already endured enough pain by having a lowercase realm name ... do you really want more? :-) --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
