random to key from password
Russ Allbery
rra at stanford.edu
Mon Sep 27 18:20:38 EDT 2010
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> At least nowadays all clients should support PA-ENC-TIMESTAMP, so you
> could revisit your decision. But really, it'd be better to have more
> knobs here.
The problem wasn't that not all clients support PA-ENC-TIMESTAMP. The
problem is that if you don't mark a principal as requiring pre-auth, no
pre-auth will be done, even if the client supports it. Therefore, if you
set a service principal as requiring pre-auth before setting all
principals authenticating to that service principal as requiring pre-auth
(and waiting for existing ticket caches to expire), authentications
suddenly start failing.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list