krb5 commit [krb5-1.15]: Add caveats to krbtgt change documentation

Tom Yu tlyu at mit.edu
Mon Jan 9 15:30:39 EST 2017 

https://github.com/krb5/krb5/commit/f2bff4a6557206f7adc64185f324a1b979a900c3
commit f2bff4a6557206f7adc64185f324a1b979a900c3
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Dec 4 18:34:41 2016 -0500

    Add caveats to krbtgt change documentation
    
    In database.rst, describe a couple of krbtgt rollover issues and how
    to avoid them.
    
    (cherry picked from commit 56d05e87858b672591c1e6b7869cb08e8b1e0d59)
    
    ticket: 8524
    version_fixed: 1.15.1

 doc/admin/database.rst |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 078abc7..b693042 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -765,6 +765,24 @@ database as well as the new key.  For example::
              with older kvnos, ideally first making sure that all
              tickets issued with the old keys have expired.
 
+Only the first krbtgt key of the newest key version is used to encrypt
+ticket-granting tickets.  However, the set of encryption types present
+in the krbtgt keys is used by default to determine the session key
+types supported by the krbtgt service (see
+:ref:`session_key_selection`).  Because non-MIT Kerberos clients
+sometimes send a limited set of encryption types when making AS
+requests, it can be important to for the krbtgt service to support
+multiple encryption types.  This can be accomplished by giving the
+krbtgt principal multiple keys, which is usually as simple as not
+specifying any **-e** option when changing the krbtgt key, or by
+setting the **session_enctypes** string attribute on the krbtgt
+principal (see :ref:`set_string`).
+
+Due to a bug in releases 1.8 through 1.13, renewed and forwarded
+tickets may not work if the original ticket was obtained prior to a
+krbtgt key change and the modified ticket is obtained afterwards.
+Upgrading the KDC to release 1.14 or later will correct this bug.
+
 
 .. _incr_db_prop:

More information about the cvs-krb5 mailing list