Why does changing supported_enctypes not work?

John Hascall john at iastate.edu
Fri Oct 10 08:43:50 EDT 2003

OK, thanks for the help so far on changing my enctypes.
Editing kdc.conf instead of krb5.conf was obviously a
big key.  However, I don't seem to be getting quite
what I asked for.

In kdc.conf:
   supported_enctypes = des-cbc-crc:v4 des-cbc-crc:normal

>From getprinc:
Key: vno 3, DES cbc mode with CRC-32, Version 4                                 
Key: vno 3, DES cbc mode with CRC-32, no salt
I was expecting this 2nd one to say:
Key: vno 3, DES cbc mode with CRC-32, Version 5

(which is what the VPN docs say I should see)

and since I see this in the code (in lib/krb5/krb/str_conv.c):

static const struct salttype_lookup_entry salttype_table[] = {
/* salt type                    input specifier output string  */
/*----------------------------- --------------- ---------------*/
{ KRB5_KDB_SALTTYPE_NORMAL,     "normal",       "Version 5"       },     <===
{ KRB5_KDB_SALTTYPE_V4,         "v4",           "Version 4"       },
{ KRB5_KDB_SALTTYPE_NOREALM,    "norealm",      "Version 5 - No Realm" },
{ KRB5_KDB_SALTTYPE_ONLYREALM,  "onlyrealm",    "Version 5 - Realm Only" },
{ KRB5_KDB_SALTTYPE_SPECIAL,    "special",      "Special" },
{ KRB5_KDB_SALTTYPE_AFS3,       "afs3",         "AFS version 3"    }

This appears to be somehow related to this
code (in kadmin/cli/kadmin.c):

             if (key_data->key_data_ver > 1) {
                  if (krb5_salttype_to_string(key_data->key_data_type[1],
                                              salttype, sizeof(salttype)))
                       sprintf(salttype, "<Salt type 0x%x>",
                  printf("%s\n", salttype);
             } else
                  printf("no salt\n");

so what is 'key_data->key_data_ver' and is it relevant here?

Thanks again,

More information about the Kerberos mailing list