another similar enctype issue

Will Fiveash William.Fiveash at
Thu Sep 29 20:52:24 EDT 2005

On Wed, Sep 28, 2005 at 05:54:33PM -0400, Sam Hartman wrote:
> It's not clear to me that your fix is correct.  Your fix causes the
> client to actually use des-cbc-md5 even though the client only is
> permitted to use des-cbc-crc by policy.

What I saw was if default_tkt_enctypes = des-cbc-crc and the user princ
had a des-cbc-md5 key in the princ DB, the TGT skey enctype was
des-cbc-crc.  So it did not seem like a violation of the
default_tkt_enctypes to me.

> There appears to be code in our KDC at least to return des-cbc-crc
> preauth if there is a des-cbc-md5 key and vice versa.  This code will
> never return a key the client did not request.

Can you tell me which function I need to look at on the KDC side?

> So, I tend to consider this a KDC side issue not a client side issue.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list