On Wednesday, October 11, 2006 06:16:33 PM -0400 Marcus Watts <[EMAIL PROTECTED]> wrote:
> In the MIT kerberos source, there's a pair of routines > select_session_keytype and dbentry_supports_enctype that are probably > making this decision for you. Here's the comment in > dbentry_supports_enctype: > /* > * If it's DES_CBC_MD5, there's a bit in the attribute mask which > * checks to see if we support it. For now, treat it as always > * clear. > * > * In theory everything's supposed to support DES_CBC_MD5, but > * that's not the reality.... > */ > Unfortunately, that's followed immediately by > if (enctype == ENCTYPE_DES_CBC_MD5) return 0; > which should have the effect "never use des-cbc-md5". > Presumably the "bit in the attribute mask" never got implemented. > The bit itself appears to be defined -- looks like it's called > KRB5_KDB_SUPPORT_DESMD5 (0x4000) or "support_desmd5". Except the issue here is he's getting a DES_CBC_MD4 session key when he wants DES_CBC_CRC. The "why" is likely in the code you're quoting - DES_CBC_MD4 is a "better" enctype, and both sides appear to support it (since the single-des types are interchangeable). I'd be curious to know how the resulting ticket is not "useful"; that is, what application is being used and what error results when attempting to use that ticket. -- Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos