allow_weak_enctypes=false and AFS
ghudson at mit.edu
Wed Jan 20 13:00:22 EST 2010
On Tue, 2010-01-19 at 13:58 -0500, ghudson at MIT.EDU wrote:
> We also appear to generate a confusing error message in the KDC log
> when a client performs a TGS request without including any enctypes
> present in the principal. I'll fix that assuming it doesn't prove to
> be too difficult.
I am having trouble reproducing this problem using kvno. In the Debian
bug report, a reference is made to "the kdc log saying that the
principal simply doesn't exist." But from the code and my experiments,
you get a "KDC has no support for encryption type" message in both the
log and on the client. That message could probably be improved on, at
least in the log, but I feel like I'm not testing the right thing.
The krb5 1.6 code seems to do the same thing if a session key cannot be
selected, so I don't think it's as simple as Thomas running a 1.6 KDC or
(What I have been testing: create a regular principal, and a principal
containing only a DES key. Start the KDC with allow_weak_crypto=true,
but set allow_weak_crypto=false in the profile used by the clients.
kinit as the regular principal. kvno the DES-only principal. I also
tried the AS path, by doing kinit on the DES-only principal, and I get
the same result as I do with kvno.)
More information about the krbdev