[krbdev.mit.edu #2155] krb5-1.3.x testing with default_tgs_enctypesin krb5.conf
Douglas E. Engert
deengert at anl.gov
Mon Feb 2 12:39:13 EST 2004
Ken Hornstein wrote:
>
> > default_tkt_enctypes = des-cbc-crc,des-cbc-md5
> > default_tgs_enctypes = des-cbc-crc,des-cbc-md5,des3-cbc-sha1
>
> Doug, as a side comment ...
>
> I think I've got one of the stranger MIT krb5 installations around, and
> I've recently migrated a bunch of sites to 3DES only, so I think I have
> a reasonable amount of experience with enctypes issues (I discovered a
> bug in fwd_tgt.c regarding enctype processing a while ago). Given all of
> that, I have to ask you ... why are you putting default_*_enctypes
> entries in your krb5.conf? It should only be necessary in a few very
> strange circumstances; I have _one_ host where this is done, but that's
> only because of a Java-Kerberos implementation that can only handle
> single-DES. In every other case, I have never found it necessary (and
> having those entries can cause problems, as you have discovered).
Part of it was historic, we where using DCE security severs as the KDC.
We now have users in W2K ADs, and unix hosts in a MIT 1.2.8 kdc.
If we can upgrade to 1.3.2 on the unix clients and the KDC that we
can drop the default_* entries.
>
> Once upon a time, someone around here had the bright idea to do this.
> It took me _years_ to undo the lossage surrounding this, and it still
> occasionally screws me.
>
> Maybe you have a situation where this is necessary, or you want to force
> a particular priority, but from your email, I don't quite see why you need
> this. I only mention this to possibly help you save pain down the road.
>
Yes I want to get rid of htem as well.
> --Ken
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krb5-bugs
mailing list