Unable to have KDC use different enctype for session/service key

[Sam Hartman]

>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

    Ken> The problem is that I have a choice between:

    Ken> - Changing something on the KDC, which is fairly reasonable.

No, it's not; you are encoding client configuration information into the KDC.

    Ken> - Changing something on 5000+ krb5.conf files scattered all
    Ken> over creation, which is a screaming nightmare.  

But you already have this issue.  You need to upgrade those clients to
support 3des in the first place.  I suggest that you add to whatever
process is allowing you to get new kinits out to clients the ability
to get new krb5.confs out to clients.

If you cannot get a new kinit to a client then it will not request 3des at all.
    Ken> I'm missing something here; is there a reason why the session
    Ken> key enctype should _NOT_ be adjustable on the KDC?  I mean,
    Ken> it seems like the best solution (really, the only practical
    Ken> solution).

Yes.  Configuring enctypes on Kerberos is overly complex as is; we
want to decrease that complexity not increase it.  Long term we are
looking at removing some of the configuration options not adding more.