gss_accept_sec_context
Ken Raeburn
raeburn at MIT.EDU
Fri Nov 2 16:01:32 EDT 2007
On Nov 2, 2007, at 13:54, Kevin Coffman wrote:
> On 11/2/07, Manoj Mohan <manojm at us.ibm.com> wrote:
>> when I did ktutil of my keytab file.. I had 2 entries (with KVNO
>> 2)...
>> I deleted the file and recreated it with ktadd but with -e option
>> to add only one
>> encryption type and then the accept_context worked.
>>
>> What is the usual practice? Should we always do ktadd with -e
>> option? Why is it
>> generating 2 entries when I do only ktadd (without -e) .. when in my
>> krb5.conf there is only one encryption listed like this:
>>
>> [libdefaults]
>> default_realm = EXAMPLE.IBM.COM
>> default_keytab_name = FILE:/etc/krb5.keytab
>> default_tkt_enctypes = des-cbc-crc
>> default_tgs_enctypes = des-cbc-crc
>
> ktadd does not look at those enctype definitions on the local machine
> where you run ktadd. What is used is the "supported_enctypes" defined
> for the realm in the kdc configuration. If your service doesn't
> support all the enctypes listed there, then you must limit the list
> with the -e option when doing the ktadd.
We wouldn't want to look at the *default* ticket encryption types on
the server anyways, but the set of supported enctypes on the server.
If that list isn't being used (as specified, or the compiled-in
default), in addition to the KDC-side restrictions, it's probably a
bug, I think.
Ken
More information about the Kerberos
mailing list