[krbdev.mit.edu #2155] krb5-1.3.x testing with default_tgs_enctypes in krb5.conf
Jeffrey Altman via RT
rt-comment at krbdev.mit.edu
Sat Jan 31 18:13:29 EST 2004
After an evaluation of the code by Sam and myself, we have concluded
that this is not a bug but an expected behavior. The default_*_enctypes
values act as filters to restrict the enctypes used.
In the case of TGTs being imported from the Windows LSA, the enctypes of
the TGTs may not adhere to the default_tgt_enctype value since MS is
unaware of it. The MSLSA ccache will return a TGT that does not match
the default_tgt_enctype specification. However, when forwarding tgts,
that code will insist on a conforming enctype for the TGT. Hence it is
rejected.
Removing the default_*_enctype specifications will allow things to work
in most situations.
More information about the krb5-bugs
mailing list