etype 23 on klist -e output when using Windows 2003 KDC to unix

Derek Yarnell derek at
Wed Oct 22 16:41:55 EDT 2003

On Wed, 22 Oct 2003 17:08:18 +0000, Sam Hartman wrote:

Alright I have found this same problem. Kerberos 5 v1.3.1 from MIT.
I am trying to get SAMBA 3.0.x running with a Windows 2003 Active
Directory but it is running in Native 2003 Mode. I am getting decrypt
integrity failed errors when I run from the the samba stuff but I can
kinit correctly.

[root at atlantis ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek at PC.CS.UMD.EDU

Valid starting     Expires            Service principal
10/22/03 16:39:31  10/23/03 02:39:34  krbtgt/PC.CS.UMD.EDU at PC.CS.UMD.EDU
        renew until 10/22/03 17:39:31, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Anyone know what is going on here? The samba people seem to be clueless
and seem to think that it works with 2003 in native 2003 mode.


>>>>>> "Tim" == Tim Clarke <tim.clarke at> writes:
>     Tim> How do I change the tkt etype to be DES-CBC-CRC
> You don't.  Or at least a reasonable Kerberos implementation does not
> allow the client to influence the tkt enctype.  If it does, then the
> client may force the KDC to use a ticket key that is weaker or easier
> to attack.
> Microsoft's implementation may expose this, but if it does it is only
> for interoperability with broken Kerberosenvironments.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list