On 07/27/2015 10:51 AM, Todd Grayson wrote: > The question is; how much variation can be tolerated on the configuration > of encryption type settings within the krb5.conf / kdc.conf
Only what is listed in the "Encryption types" table. > I constantly see "clipped" values being used and I wonder, is kerberos > using those, or is it just discarding and going to default behavior at that > point, and the settings are worthless. Unrecognized entries are ignored, but we don't discard the entire setting as a result. If all entries in the list are unrecognized, you can wind up with an empty enctype list, which should cause the affected operations to fail. > Examples of this are: > > aes-256 for aes256-cts-hmac-sha1-96 > rc4-hmac for arcfour-hmac-md5 rc4-hmac is in the table and should work. aes-256 is not a recognized abbreviation. Experimentally, if I set: [libdefaults] default_tkt_enctypes = aes-256 then kinit fails: $ KRB5_TRACE=/dev/stdout kinit user [5912] 1438010237.103621: Getting initial credentials for u...@krbtest.com [5912] 1438010237.103688: Unrecognized enctype name in default_tkt_enctypes: aes-256 [...] kinit: No supported encryption types (config file error?) while getting initial credentials ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos