allow_weak_enctypes=false and AFS

Greg Hudson ghudson at
Wed Jan 20 13:00:22 EST 2010

On Tue, 2010-01-19 at 13:58 -0500, ghudson at MIT.EDU wrote:
> We also appear to generate a confusing error message in the KDC log
> when a client performs a TGS request without including any enctypes
> present in the principal.  I'll fix that assuming it doesn't prove to
> be too difficult.

I am having trouble reproducing this problem using kvno.  In the Debian
bug report, a reference is made to "the kdc log saying that the
principal simply doesn't exist."  But from the code and my experiments,
you get a "KDC has no support for encryption type" message in both the
log and on the client.  That message could probably be improved on, at
least in the log, but I feel like I'm not testing the right thing.

The krb5 1.6 code seems to do the same thing if a session key cannot be
selected, so I don't think it's as simple as Thomas running a 1.6 KDC or

(What I have been testing: create a regular principal, and a principal
containing only a DES key.  Start the KDC with allow_weak_crypto=true,
but set allow_weak_crypto=false in the profile used by the clients.
kinit as the regular principal.  kvno the DES-only principal.  I also
tried the AS path, by doing kinit on the DES-only principal, and I get
the same result as I do with kvno.)

More information about the krbdev mailing list