John Harris <har...@ucdavis.edu> writes: > Greetings, > > I currently have a MIT KDC where I need to use the des-cbc-crc:normal > encryption type on *one* service principal. The rest of my KDC all > principals can be aes or rc4. I'm confused as to what I need in my > config and what will work. > > If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf > in the supported_enctypes field, I'm still able to create the > des-cbc-crc:normal service principal I need. In fact, I can kinit -S > for it and obtain it. My confusion lies in that I thought not having > des-cbc-crc:normal in this configuration line meant the KDC wouldn't > recognize or serve tickets for it. > > It'd be great to not have to put this in the config line so that later > principals only get the aes256 and rc4 types on them, but I'm not > understanding why I'm successfully obtaining a principal with only the > des encryption type without adding it to this line.
The "supported_enctypes" configuration variable really means "default list of enctype-salttype pairs for which the kadmin subsystem will generate keys". The name is arguably misleading; if anyone has ideas about a better name, please suggest one. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos