Sam Hartman hartmans at MIT.EDU
Fri Oct 4 16:43:01 EDT 2002

des3-cbc-raw is always wrong to use as a key; it is an internal enctype that you should never put in supported_enctypes in your kdc.conf.

Yes, des3-cbc-sha1 is known to work for GSSAPI.  I suspect you have
overly restrictive default_tgs_enctypes or default_tkt_enctypes on
your client; comment them out and see what happens.

If that doesn't work ask for help on kerberos at

More information about the krbdev mailing list