supported_enctypes question

[Tom Yu]

John Harris <harris at ucdavis.edu> writes:

> Greetings,
>
> I currently have a MIT KDC where I need to use the des-cbc-crc:normal 
> encryption type on *one* service principal.  The rest of my KDC all 
> principals can be aes or rc4.  I'm confused as to what I need in my 
> config and what will work.
>
> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf 
> in the supported_enctypes field, I'm still able to create the 
> des-cbc-crc:normal service principal I need.  In fact, I can kinit -S 
> for it and obtain it.  My confusion lies in that I thought not having 
> des-cbc-crc:normal in this configuration line meant the KDC wouldn't 
> recognize or serve tickets for it.
>
> It'd be great to not have to put this in the config line so that later 
> principals only get the aes256 and rc4 types on them, but I'm not 
> understanding why I'm successfully obtaining a principal with only the 
> des encryption type without adding it to this line.

The "supported_enctypes" configuration variable really means "default
list of enctype-salttype pairs for which the kadmin subsystem will
generate keys".  The name is arguably misleading; if anyone has ideas
about a better name, please suggest one.