Using keytab on Windows with KfW

Markus Moeller huaraz at moeller.plus.com
Sun Aug 12 17:59:30 EDT 2007


I would have prefered that too, but some bugs on the Windows side required 
the fixed enc types to get the cross realm working. The windows kdc replied 
with unsupported enctype if rc4 wasn't  the first enc type in the list.  I 
don't understand why I needed to fix it in this case though. The MIT kdc is 
configured with

                supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal 
des-cbc-crc:normal des-cbc-md5:normal
                kdc_supported_enctypes = rc4-hmac:normal 
des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal

in kdc.conf and on my kfw client I had no enctype configured. Why did the 
interactive kinit work and with the keytab not ?

It only worked after adding

       default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc 
des-cbc-md5
        permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

to krb5.ini

Markus


"Christopher D. Clausen" <cclausen at acm.org> wrote in message 
news:f9nkq0$bni$1 at news.ks.uiuc.edu...
> Markus Moeller <huaraz at moeller.plus.com> wrote:
>> Thanks for the pointer. I thought I fixed the enctypes in krb5.ini
>> too,  but copied it under the domain_realm section instead of
>> libdefaults. (The default krb5.ini didn't have the same order as my
>> krb5.conf )
>
> I'd strongly suggest NOT specifying enc_types anywhere.  The newer krb5 
> libs are smart enough to use the "best" encryption supported by themselves 
> and the KDC and the application server.  Manually specifying them just 
> causes things to break, as you just saw.
>
> <<CDC
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list