On 09/14/2012 01:53 PM, Greg Hudson wrote:
A BAD_ENCRYPTION_TYPE error means the server couldn't pick a session key, meaning there was no commonality between the requested enctypes and the server principal entry's key types (or that all of the common entries aren't permitted, but that's not an issue in your scenario). So it's the server's principal entry--in this case, krbtgt/REALMNAME--which is the problem, not the client's.
Thanks Greg and Marcus. It was exactly as you pointed out. Are there any side effects of rekeying krbtgt@REALMNAME? I'm guessing any existing TGTs are invalidated, but I haven't reasoned out any other problems that might occur.
I'm working on a migration of encryption types, and I was trying to identify why one of the etypes was single DES still. Now I see much better etypes for tkt, in addition to rep and ses in the KDC logs :).
Thanks for the help! -- Martin B. Smith, Systems Administrator [email protected] - (352) 273-1329 UF Information Technology, CNS/Open Systems Group University of Florida
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
