[39056] in Kerberos
Re: Replica KDC has no support for encryption type
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Feb 4 12:23:35 2022
To: <debian@lhanke.de>, "kerberos@MIT.EDU" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <387069fb-7834-588d-c8f7-b2575434402b@mit.edu>
Date: Fri, 4 Feb 2022 12:19:57 -0500
MIME-Version: 1.0
In-Reply-To: <917dadc9-e45b-f86a-e394-754ccc30eeae@lhanke.de>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 2/4/22 2:19 AM, Dr. Lars Hanke wrote:
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
It might help to compare the KDC log entry for this TGS request on the
old and new KDC.
During a TGS request, "KDC has no support for encryption type" can mean
that the KDC could not select an encryption type for the session key.
The session key enctype must be present in (1) the enctypes listed in
the KDC request, (2) the KDC's permitted_enctypes if set, and (3) the
enctypes supported by the server DB entry (which is usually the enctypes
of the server's long-term keys, unless overridden by the
session_enctypes string attribute).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
