[krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Sun Apr 29 13:36:14 EDT 2007
gss_set_allowable_enctypes eventually ends up causing
krb5_set_default_tgs_enctypes to be called on a krb5_context.
We've been seeing a problem on Debian for 1.6 and 1.6.1 where the NFS
rpc.gssd ends up with an aes context even though it only supports a
des context and requests same by calling gss_set_allowable_enctypes.
I walked through this in gdb and found that while tgs_ktypes is
getting set in the context passed into krb5_get_credentials it is not
being respected. The credentials coming back from
krb5_get_credentials are (in my case) aes. The request to the KDC
includes all the enctypes.
I suspect the referrals code interacts badly with use_conf_ktypes or
something like that.
I actually don't see how referrals could work well with
use_conf_ktypes because I think they have conflicting requirements.
Before fixing this bug it is important to first understand what is
going on and second have a discussion on krbdev about what should
happen instead. I don't think this will be a simple fix.
--Sam
More information about the krb5-bugs
mailing list