default encryption types

[Douglas E. Engert]

Markus Moeller wrote:

> I do have a setup with two kdcs ( A windows and non-windows kdc ). I'd like to
> use the highest encryption type  available. The krb5.conf on my client looks like:
> 
> [libdefaults]
>     default_realm = W2K3.COM
>     default_tkt_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
>     default_tgs_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc


I think you need commas, in the list I think it is called is arcfour-hmac-md5
Try something like:

       default_tkt_enctypes = des3-cbc-sha1,arcfour-hmac-md5,des-cbc-md5,des-cbc-crc

> 
> [realms]
>     W2K3.COM = {
>         kdc = kdc.w2k3.com:88
>         kpasswd_server = kdc.w2k3.com:464
>     }
>     MIT.COM = {
>         kdc = kdc.mit.com:88
>         kpasswd_server = kdc.mit.com:464
>     }
> [domain_realm]
>     .mit.com = MIT.COM
>     .w2k3.com = W2K3.COM
> 
> 
> A kinit user at W2K3.COM gives the following error:
> kinit(v5): KDC has no support for encryption type while getting initial credentials
> 
> It works the other way round e.g. 
>    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
>    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
> 
> 
> kinit user at MIT.COM gives no error and I get a tgt.
> 
> 
> I know that MS doesn't support 3DES, but I thought if I give a list it will use
> the next highest supported encryption type. Is this a buf in MS or does the
> standard allow this behaviour ?
> 
> 
> Thanks
> Markus
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444