cross realm trusts ..

Matt Bryant matthew.bryant at
Thu Nov 28 16:53:45 EST 2013

Hmm a thought but checking the configs the legacy realm is using

supported_enctypes = des3-cbc-sha1:normal des3-cbc-raw:normal

and added both the cross realm keys to both KDCs with a single 
explicitly defined enctype ...


add_princ -e des3-cbc-sha1:normal -pw XXXX krbtgt/REALM1 at REALM2


Matt B.

On 29/11/13 07:29, Dennis Davis wrote:
> On Fri, 29 Nov 2013, Matt Bryant wrote:
>> From: Matt Bryant <matthew.bryant at>
>> To: undisclosed-recipients:  ;
>> Cc: kerberos at
>> Date: Thu, 28 Nov 2013 20:36:03
>> Subject: Re: cross realm trusts ..
>> Have done that and yes can see all of those tickets .... mine, the
>> TGT for cross realm auth and the host ticket in the other realm ..
>> Now at this point got to say the old realm/kdc is on el4 and of
>> course th eipa is on el6
>> is there any reason the version disparity 1.3 v 1.10 is causing issues
> Wild guess:  Incompatible encryption types?
> See:
> which includes:
>    DES transition
>    The Data Encryption Standard (DES) is widely recognized as
>    weak. The krb5-1.7 release contains measures to encourage sites to
>    migrate away from using single-DES cryptosystems. Among these is
>    a configuration variable that enables "weak" enctypes, which now
>    defaults to "false" beginning with krb5-1.8.
> Kerberos 1.3 will be happy with what are now regarded as weak
> encryption types.
> Also note the manual page for kdc.conf on later versions of Kerberos
> includes:
>    While aes128-cts and aes256-cts are supported for all Kerberos
>    operations, they are not supported by very old versions of our
>    GSSAPI implementation (krb5-1.3.1 and earlier).  Services running
>    versions of krb5 without AES support must not be given AES keys in
>    the KDC database.

More information about the Kerberos mailing list