Dirk Heinrichs wrote: > Am Mittwoch, 3. Januar 2007 14:29 schrieb ext Jeffrey Altman: > >> P.S. In your krb5.conf file, don't do this: >> >> default_tkt_enctypes = des-cbc-crc des-cbc-md5 >> default_tgs_enctypes = des-cbc-crc des-cbc-md5 > > Is this a general recommendation or only for Erik? Can you give some > background info? > > Thanx... > > Dirk
You *almost* never want to specify default_tkt_enctypes or default_tgs_enctypes. Doing so prevents the client from being able to handle stronger ticket types when the KDC wants to issue them. If you need to restrict a ticket enctype for a service such as AFS you do so by limiting the enctypes for which that service principal has keys in the Kerberos Database. For AFS, there should only be single DES keys associated with the service principal in MIT or Heimdal. In Active Directory, the "use DES only" flag should be set. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
