[krbdev.mit.edu #2155] krb5-1.3.x testing with default_tgs_enctypesin krb5.conf
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Feb 2 12:19:15 EST 2004
> default_tkt_enctypes = des-cbc-crc,des-cbc-md5
> default_tgs_enctypes = des-cbc-crc,des-cbc-md5,des3-cbc-sha1
Doug, as a side comment ...
I think I've got one of the stranger MIT krb5 installations around, and
I've recently migrated a bunch of sites to 3DES only, so I think I have
a reasonable amount of experience with enctypes issues (I discovered a
bug in fwd_tgt.c regarding enctype processing a while ago). Given all of
that, I have to ask you ... why are you putting default_*_enctypes
entries in your krb5.conf? It should only be necessary in a few very
strange circumstances; I have _one_ host where this is done, but that's
only because of a Java-Kerberos implementation that can only handle
single-DES. In every other case, I have never found it necessary (and
having those entries can cause problems, as you have discovered).
Once upon a time, someone around here had the bright idea to do this.
It took me _years_ to undo the lossage surrounding this, and it still
occasionally screws me.
Maybe you have a situation where this is necessary, or you want to force
a particular priority, but from your email, I don't quite see why you need
this. I only mention this to possibly help you save pain down the road.
--Ken
More information about the krb5-bugs
mailing list