krb1.2.3 on win2k using win2k active directory

Booker C. Bense bbense at networking.stanford.edu
Mon Mar 18 09:45:20 EST 2002


On Mon, 18 Mar 2002, David Bailey wrote:

> Hi,
>
> The subjects says it all, and may sound crazy, but I'm just trying to get to
> grips with the practicalities of krb5...
>
> I'm confused by the errors I'm getting with the following test - it's almost
> certainly a problem with my understanding but any help would be appreciated.
>
>
> Using kinit with a valid principal (a user) in the domain returns the
> folowing error:
>
> kinit.exe(v5): KDC has no support for encryption type while getting initial
> credentials
>
> which has me confused. Is this because I've not installed a keytab on the
> machine I'm trying to authenticate from or is there something I'm missing?
>

- This has nothing to do with a keytab. It's saying that you are
asking for a kind of key that the KDC doesn't support. There is
some mismatch in the configuration between your client and the KDC.

- This is just a total guess, but it may be that you're asking for
a triple DES key. I have no idea if the W2K KDC supports that or
not.

- You can control the kind of key you ask for on the MIT client
side by using the libdefaults options

    default_tgs_enctypes  = des-cbc-crc
    default_tkt_enctypes  = des-cbc-crc

- That's what works here, I suggest you read the MS white paper on
kerberos interoperablity for all the available options.

- Booker C. Bense




More information about the Kerberos mailing list