Why does changing supported_enctypes not work?
Sam Hartman
hartmans at MIT.EDU
Wed Oct 8 12:25:24 EDT 2003
>>>>> "John" == John Hascall <john at iastate.edu> writes:
John> The instructions for our VPN server say to add
John> des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
John> to the supported_enctypes line in our realm in our krb5.conf
John> file, then restart the daemons and change a principal's
John> password and then that principal should have the proper "DES
John> cbc mode with RSA-MD5, Version 5" key that the VPN needs.
I'm not really sure, but the following appears to work fine for me:
kadmin.local: addprinc -e des-cbc-md5:normal md5
WARNING: no policy specified for md5 at SUCHDAMAGE.ORG; defaulting to no policy
Enter password for principal "md5 at SUCHDAMAGE.ORG":
Re-enter password for principal "md5 at SUCHDAMAGE.ORG":
Principal "md5 at SUCHDAMAGE.ORG" created.
kadmin.local: getprinc md5
Principal: md5 at SUCHDAMAGE.ORG
Expiration date: [never]
Last password change: Wed Oct 08 12:27:23 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Oct 08 12:27:23 EDT 2003 (root/admin at SUCHDAMAGE.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
You should be aware that MIt Kerberos will never issue a session key
using des-cbc-md5.
More information about the Kerberos
mailing list