allow_weak_enctypes=false and AFS

Russ Allbery rra at
Tue Jan 19 14:04:12 EST 2010

ghudson at writes:

> Debian developers have an interest in making their OpenAFS packages
> work with krb5 1.8 out of the box, and auto-editing krb5.conf is not
> the most satisfactory solution.  For more background, see:

> We are currently planning to add an API which aklog can use to
> override the value of allow_weak_crypto, which might look like:

> krb5_error_code krb5_allow_weak_crypto(krb5_context ctx, krb5_boolean enable);

> This is different from Heimdal's krb5_enctype_enable(), but turns out
> to be the easiest change we could make.  (Heimdal uses a rather
> different architecture for enabling and disabling enctypes than we
> do.)

Thank you!  This will make our lives so much easier.  I'll take care of
getting this change into the OpenAFS aklog once the new API lands.

> We also appear to generate a confusing error message in the KDC log
> when a client performs a TGS request without including any enctypes
> present in the principal.  I'll fix that assuming it doesn't prove to
> be too difficult.

This is a fairly long-standing issue that I've run into before in
completely different situations, such as configuring cross-realm trust.
It would be nice to get a nicer error message than principal not found.
Thank you here as well!

Russ Allbery (rra at             <>

More information about the krbdev mailing list