Peter Jordan <usernetw...@gmx.info> writes: > hmmm, although i have set supported enctypes > supported_enctypes = aes256-cts:normal > and restarted kdc nothing seens to have changed. > > After calling "kinit" klist -5e show me: > Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc > mode with HMAC/sha1
It sounds like removing something from supported_enctypes in the KDC may not turn things off to quite the degree that I thought it would and if only old keys are available, old keys are still used. You'll need to change your krbtgt key in order to get newer enctypes for your ticket-granting tickets. You'll want to use -keepold unless you can afford a flag day that invalidates all existing ticket caches. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org