On 09/14/2012 01:41 PM, Martin B. Smith wrote:
> krb5kdc[2783](info): AS_REQ (1 etypes {16}) 10.253.17.19:
> BAD_ENCRYPTION_TYPECheck the key types present in the krbtgt principal. Longer answer: When you make an AS request, the KDC needs to pick three keys: the encryption key for the ticket, the session key, and the reply key. The ticket encryption key needs to be understood by the server, the reply key needs to be understood by the client, and the session key needs to be understood by both. We assume that the server understands the encryption keys that it has long-term keys for in its principal entry (unless the session_enctypes string attribute is set, but that's new in 1.11 which isn't out yet). A BAD_ENCRYPTION_TYPE error means the server couldn't pick a session key, meaning there was no commonality between the requested enctypes and the server principal entry's key types (or that all of the common entries aren't permitted, but that's not an issue in your scenario). So it's the server's principal entry--in this case, krbtgt/REALMNAME--which is the problem, not the client's. If there were a problem picking a reply key, you would get a CANT_FIND_CLIENT_KEY error in the logs. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
