Using keytab on Windows with KfW
Markus Moeller
huaraz at moeller.plus.com
Sun Aug 12 17:59:30 EDT 2007
I would have prefered that too, but some bugs on the Windows side required
the fixed enc types to get the cross realm working. The windows kdc replied
with unsupported enctype if rc4 wasn't the first enc type in the list. I
don't understand why I needed to fix it in this case though. The MIT kdc is
configured with
supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
des-cbc-crc:normal des-cbc-md5:normal
kdc_supported_enctypes = rc4-hmac:normal
des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
in kdc.conf and on my kfw client I had no enctype configured. Why did the
interactive kinit work and with the keytab not ?
It only worked after adding
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
to krb5.ini
Markus
"Christopher D. Clausen" <cclausen at acm.org> wrote in message
news:f9nkq0$bni$1 at news.ks.uiuc.edu...
> Markus Moeller <huaraz at moeller.plus.com> wrote:
>> Thanks for the pointer. I thought I fixed the enctypes in krb5.ini
>> too, but copied it under the domain_realm section instead of
>> libdefaults. (The default krb5.ini didn't have the same order as my
>> krb5.conf )
>
> I'd strongly suggest NOT specifying enc_types anywhere. The newer krb5
> libs are smart enough to use the "best" encryption supported by themselves
> and the KDC and the application server. Manually specifying them just
> causes things to break, as you just saw.
>
> <<CDC
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list