kinit always specifies all available etypes in AS-REQ?

Weijun Wang Weijun.Wang at
Mon May 24 06:22:48 EDT 2010

Hi All

kinit can use a keytab file to request for a TGT. My keytab only includes keys for several etypes, but it seems kinit still includes all supported etypes in the AS-REQ message. When the KDC (Windows Server 2008) sends back the preauth challenge listing aes256-cts (which I don't have in my keytab) as the first etype in PA-ETYPE-INFO2, kinit fails saying --

  kinit: Key table entry not found while getting initial credentials

If preauth is disabled, KDC simply sends back a TGT with session key encrypted with aes256-cts, and kinit shows the same error.

Why can't kinit only specifies the etypes in the keytab at the beginning? Is this a feature or a bug?

I'm using 1.7 on Ubuntu.


More information about the krbdev mailing list