allow_weak_enctypes=false and AFS
rra at stanford.edu
Tue Jan 19 14:04:12 EST 2010
ghudson at mit.edu writes:
> Debian developers have an interest in making their OpenAFS packages
> work with krb5 1.8 out of the box, and auto-editing krb5.conf is not
> the most satisfactory solution. For more background, see:
> We are currently planning to add an API which aklog can use to
> override the value of allow_weak_crypto, which might look like:
> krb5_error_code krb5_allow_weak_crypto(krb5_context ctx, krb5_boolean enable);
> This is different from Heimdal's krb5_enctype_enable(), but turns out
> to be the easiest change we could make. (Heimdal uses a rather
> different architecture for enabling and disabling enctypes than we
Thank you! This will make our lives so much easier. I'll take care of
getting this change into the OpenAFS aklog once the new API lands.
> We also appear to generate a confusing error message in the KDC log
> when a client performs a TGS request without including any enctypes
> present in the principal. I'll fix that assuming it doesn't prove to
> be too difficult.
This is a fairly long-standing issue that I've run into before in
completely different situations, such as configuring cross-realm trust.
It would be nice to get a nicer error message than principal not found.
Thank you here as well!
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev