kinit always specifies all available etypes in AS-REQ?
Weijun.Wang at sun.com
Mon May 24 06:22:48 EDT 2010
kinit can use a keytab file to request for a TGT. My keytab only includes keys for several etypes, but it seems kinit still includes all supported etypes in the AS-REQ message. When the KDC (Windows Server 2008) sends back the preauth challenge listing aes256-cts (which I don't have in my keytab) as the first etype in PA-ETYPE-INFO2, kinit fails saying --
kinit: Key table entry not found while getting initial credentials
If preauth is disabled, KDC simply sends back a TGT with session key encrypted with aes256-cts, and kinit shows the same error.
Why can't kinit only specifies the etypes in the keytab at the beginning? Is this a feature or a bug?
I'm using 1.7 on Ubuntu.
More information about the krbdev