default_tkt_enctypes and default_tgs_enctypes linkage?

Sam Hartman hartmans at MIT.EDU
Thu Sep 8 15:40:21 EDT 2005

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> What I'm trying to point out here in my long winded way is
    Will> that I don't understand the linkage between
    Will> default_tkt_enctypes and default_tgs_enctypes.  

I think it's more like you don't understand the fact that
default_tgs_enctypes is used to decide what enctypes are valid tgts to
use for tgs requests *and* what enctypes to request from the TGS.

fortunately none of us really understand that either; it seems kind of
The options for fixing it include:

* Introduce a third option 
* have permitted_enctypes influence client behavior

* Combine default_tkt_enctypes and default_tgs_enctypes together
  somehow and retain only one option.  Do something to support old
  config files.

Adding a third option seems like the clear wrong direction.  The
configuration is too complex; it does not need to get more complex.

Using permitted_enctypes seems wrong because that's designed to
control server behavior.

I think we'd like to move to a single option controlling all client
enctypes including: AS requests, selection of usable credentials from
the cache, TGS requests.


More information about the krbdev mailing list