Ticket enctype question

Russ Allbery rra at stanford.edu
Thu Aug 31 13:56:52 EDT 2006

Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

>> We're in the process of enabling additional enctypes in a K5 realm that
>> previously only had DES keys.  Our kdc.conf file now reads (in part):
>> master_key_type    = des-cbc-crc
>> supported_enctypes = des-cbc-crc:normal des3-cbc-sha1:normal aes256-cts:normal

> There's a implied preference order to the keys listed in
> supported_enctypes.  If you want AES to be used for tickets (when
> possible, of course), you should list that first.

> (For session keys, the list send by the client is used as the preference
> order).

Thanks to both you and Jeff Altman (who sent me the same detail privately)
for the diagnosis.  I had tried changing the kdc.conf and restarting the
KDC, but the preference order is apparently encoded in the database at the
time the key is changed.  I'll change the key again after changing
kdc.conf to fix the preference order.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list