Issues with keytab creation related to switch to w2k3 w/ ktutil
Jeffrey Altman
jaltman at columbia.edu
Wed Apr 7 23:42:35 EDT 2004
Sam Hartman wrote:
>>>>>>"Douglas" == Douglas E Engert <deengert at anl.gov> writes:
>>>>>>
>
> Douglas> Jeffrey Altman wrote:
> >> Nathan:
> >>
> >> Are you sure you are receiving the correct enctype? Doug has
> >> reported that he is receiving DES-CBC-MD5 when he is expecting
> >> DES-CBC-CRC from Windows 2003.
>
> Douglas> W2003 does not let the client select the the enctype, so
> Douglas> even if you request des-cbc-crc, it will send
> Douglas> des-cbc-md5.
>
>And note this is completely correct behavior for the ticket enctype.
>The client should not have any influence over that.
>
You are absolutely correct. The real problem is that there
is no mechanism in the Windows AD to specify which enctypes
the client service supports.
The place this becomes a problem is with AFS because AFS
traditionally only supports the DES-CBC-CRC and not DES-CBC-MD5
or DES-CBC-MD4. (this will be corrected in the next couple of
days.)
More information about the krbdev
mailing list