Ken Hornstein <[EMAIL PROTECTED]> writes: > A slight expansion on this.
> Clients from the MIT 1.0.x era would reject service tickets if they were > encrypted with an enctype they didn't know about (since clients don't > decrypt service tickets they shouldn't need to care about the enctype). > The exception to this was the TGT (it used a different codepath). So > you could have an AES TGT (for example) and it would work fine even > though AES keys for service principals would not (3DES had the same > issue from what I remember). > I believe this was fixed in the 1.1 or 1.2 timeframe. I've also found that if I took a client linked with a Kerberos library that didn't understand AES keys (1.2 era), pointed it at a ticket cache containing an AES TGT, and asked it to get a service ticket, it would fail. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
