regression due to referral realm

Henry B. Hotz hotz at
Thu Feb 5 12:27:51 EST 2009

On Feb 5, 2009, at 8:30 AM, Nicolas Williams wrote:

> On Wed, Feb 04, 2009 at 12:15:24PM -0800, Henry B. Hotz wrote:
>> As a tangental nit, I wish the list of supported enctypes sent by
>> krb5_get_init_creds_keytab() was limited to those actually in the
>> keytab file (that are also supported by the library in question of
>> course).  Since this has been discussed in the past, it's possible  
>> you-
>> all have taken care of it, and I'm out of date.
> That's a separate issue, and not necessarily a bug: as long as the
> keytab and the KDB entry for that princ ar in sync there's no problem.

I agree, if the keytab is created by direct extraction from the KDB,  
then synchronization is likely.

However, there are a lot of reasons why that might not be true.  You  
may extract with a different code base from your intended app (think  
Java 1.4.2 for instance), or you may need SA's to create keytabs  
directly from passwords.

> Also, IIRC you can affect this via default_*_enctypes.

This solution is too global, usually.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list