Thanks so much Tom; that makes sense to me. I would vote for not changing it since it's been like, you know, 20 years in the making, but if we're gonna change it perhaps:
harris_enctypes ? :) Tom Yu wrote: > John Harris <[email protected]> writes: > >> Greetings, >> >> I currently have a MIT KDC where I need to use the des-cbc-crc:normal >> encryption type on *one* service principal. The rest of my KDC all >> principals can be aes or rc4. I'm confused as to what I need in my >> config and what will work. >> >> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf >> in the supported_enctypes field, I'm still able to create the >> des-cbc-crc:normal service principal I need. In fact, I can kinit -S >> for it and obtain it. My confusion lies in that I thought not having >> des-cbc-crc:normal in this configuration line meant the KDC wouldn't >> recognize or serve tickets for it. >> >> It'd be great to not have to put this in the config line so that later >> principals only get the aes256 and rc4 types on them, but I'm not >> understanding why I'm successfully obtaining a principal with only the >> des encryption type without adding it to this line. > > The "supported_enctypes" configuration variable really means "default > list of enctype-salttype pairs for which the kadmin subsystem will > generate keys". The name is arguably misleading; if anyone has ideas > about a better name, please suggest one. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
