I do have a setup with two kdcs ( A windows and non-windows kdc ). I'd like to use the highest encryption type available. The krb5.conf on my client looks like:
[libdefaults] default_realm = W2K3.COM default_tkt_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc default_tgs_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc [realms] W2K3.COM = { kdc = kdc.w2k3.com:88 kpasswd_server = kdc.w2k3.com:464 } MIT.COM = { kdc = kdc.mit.com:88 kpasswd_server = kdc.mit.com:464 } [domain_realm] .mit.com = MIT.COM .w2k3.com = W2K3.COM A kinit [EMAIL PROTECTED] gives the following error: kinit(v5): KDC has no support for encryption type while getting initial credentials It works the other way round e.g. default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc kinit [EMAIL PROTECTED] gives no error and I get a tgt. I know that MS doesn't support 3DES, but I thought if I give a list it will use the next highest supported encryption type. Is this a buf in MS or does the standard allow this behaviour ? Thanks Markus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos