On Fri, Nov 02, 2007 at 01:54:07PM -0400, Kevin Coffman wrote: > > default_tkt_enctypes = des-cbc-crc > > default_tgs_enctypes = des-cbc-crc > > ktadd does not look at those enctype definitions on the local machine > where you run ktadd. What is used is the "supported_enctypes" defined > for the realm in the kdc configuration. If your service doesn't > support all the enctypes listed there, then you must limit the list > with the -e option when doing the ktadd.
Er, it's a bit more complicated than that. kadmin ktadd without a -e argument lets kadmind pick an enctype list, namely, the supported_enctypes list (note: that's the KDC-side setting of supported_enctypes). kadmin ktadd with a -e argument specifies which enctypes to use. On Solaris 10 and up it's a bit more complicated still: without a -e argument kadmin ktadd behaves as if you had used -e with the list of permitted_enctypes (note: that's the client-side setting of permitted_enctypes). And the Solaris 10 and up kadmind uses 1DES enctypes only for clients that use the randkey-without-enctypes RPC. Bottom-line: - when doing ktadd you really want to specify what enctypes to use or else default to the *local* permitted_enctypes value, and of the enctypes you do specify, if you do, at least one should be in listed in the local permitted_enctypes; - if you're using straight MIT krb5's kadmin client then you should just always use the -e argument to ktadd, always. I think MIT should change kadmin's ktadd command to work more or less as the Solaris one does. The above applies only to ktadd, not chpass. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos