Why does changing supported_enctypes not work?

Sam Hartman hartmans at MIT.EDU
Wed Oct 8 12:25:24 EDT 2003

>>>>> "John" == John Hascall <john at iastate.edu> writes:

    John> The instructions for our VPN server say to add
    John> des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
    John> to the supported_enctypes line in our realm in our krb5.conf
    John> file, then restart the daemons and change a principal's
    John> password and then that principal should have the proper "DES
    John> cbc mode with RSA-MD5, Version 5" key that the VPN needs.

I'm not really sure, but the following appears to work fine for me:

kadmin.local:  addprinc -e des-cbc-md5:normal md5
WARNING: no policy specified for md5 at SUCHDAMAGE.ORG; defaulting to no policy
Enter password for principal "md5 at SUCHDAMAGE.ORG":
Re-enter password for principal "md5 at SUCHDAMAGE.ORG":
Principal "md5 at SUCHDAMAGE.ORG" created.
kadmin.local:  getprinc md5
Principal: md5 at SUCHDAMAGE.ORG
Expiration date: [never]
Last password change: Wed Oct 08 12:27:23 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Oct 08 12:27:23 EDT 2003 (root/admin at SUCHDAMAGE.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Policy: [none]

You should be aware that MIt Kerberos will never issue a session key
using des-cbc-md5.

More information about the Kerberos mailing list