default_tgs_enctypes confusion

Jason C. Wells jcwells1 at highperformance.net
Thu May 29 22:03:43 EDT 2003


The man page for krb5.conf states that default_tgs_enctypes is a list
session key encryption types that should be returned by the KDC.  Also,
default_tkt_enctypes is a list of session key encryption types the should
be requested by the client.

So, if I omit an encryption type, then I am not requesting that encryption
type.  Right?

When I delete completely des3-hmac-sha1 from my krb5.conf and get a new
TGT, I still get a des3-hmac-sha1 encryption type on my TGT.

How is this possible?

D:\>klist -e
Ticket cache: API:krb5cc
Default principal: ldsflkskdjf at STRADAMOTORSPORTS.COM

Valid starting     Expires            Service principal
05/29/03 18:49:34  05/30/03 04:49:34
krbtgt/STRADAMOTORSPORTS.COM at STRADAMOTORSPORTS.COM
        Etype (skey, tkt): DES cbc mode with CRC-32, Triple DES cbc mode
with HMAC/sha1

TIA,
Jason C. Wells

(BTW, I did not realize this group was gatewayed to a mailing list.  I can
understand why a person who uses the mailing list would be put off by a
faze email address.  My apologies to any who got a bounced message from
me.  I thought this was just a newsgroup.  The address I am using now is
real.)



More information about the Kerberos mailing list