gss_accept_sec_context
Nicolas Williams
Nicolas.Williams at sun.com
Fri Nov 2 16:39:00 EDT 2007
On Fri, Nov 02, 2007 at 01:54:07PM -0400, Kevin Coffman wrote:
> > default_tkt_enctypes = des-cbc-crc
> > default_tgs_enctypes = des-cbc-crc
>
> ktadd does not look at those enctype definitions on the local machine
> where you run ktadd. What is used is the "supported_enctypes" defined
> for the realm in the kdc configuration. If your service doesn't
> support all the enctypes listed there, then you must limit the list
> with the -e option when doing the ktadd.
Er, it's a bit more complicated than that.
kadmin ktadd without a -e argument lets kadmind pick an enctype list,
namely, the supported_enctypes list (note: that's the KDC-side setting
of supported_enctypes).
kadmin ktadd with a -e argument specifies which enctypes to use.
On Solaris 10 and up it's a bit more complicated still: without a -e
argument kadmin ktadd behaves as if you had used -e with the list of
permitted_enctypes (note: that's the client-side setting of
permitted_enctypes).
And the Solaris 10 and up kadmind uses 1DES enctypes only for clients
that use the randkey-without-enctypes RPC.
Bottom-line:
- when doing ktadd you really want to specify what enctypes to use or
else default to the *local* permitted_enctypes value, and of the
enctypes you do specify, if you do, at least one should be in listed
in the local permitted_enctypes;
- if you're using straight MIT krb5's kadmin client then you should
just always use the -e argument to ktadd, always.
I think MIT should change kadmin's ktadd command to work more or less as
the Solaris one does.
The above applies only to ktadd, not chpass.
Nico
--
More information about the Kerberos
mailing list