[28649] in Kerberos
Re: gss_accept_sec_context
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Nov 2 16:39:29 2007
Date: Fri, 2 Nov 2007 15:39:00 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Kevin Coffman <kwc@citi.umich.edu>
Message-ID: <20071102203900.GW11498@Sun.COM>
Mail-Followup-To: Kevin Coffman <kwc@citi.umich.edu>,
Manoj Mohan <manojm@us.ibm.com>, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4d569c330711021054n18d3c5een387102b38a822e7d@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Nov 02, 2007 at 01:54:07PM -0400, Kevin Coffman wrote:
> > default_tkt_enctypes = des-cbc-crc
> > default_tgs_enctypes = des-cbc-crc
>
> ktadd does not look at those enctype definitions on the local machine
> where you run ktadd. What is used is the "supported_enctypes" defined
> for the realm in the kdc configuration. If your service doesn't
> support all the enctypes listed there, then you must limit the list
> with the -e option when doing the ktadd.
Er, it's a bit more complicated than that.
kadmin ktadd without a -e argument lets kadmind pick an enctype list,
namely, the supported_enctypes list (note: that's the KDC-side setting
of supported_enctypes).
kadmin ktadd with a -e argument specifies which enctypes to use.
On Solaris 10 and up it's a bit more complicated still: without a -e
argument kadmin ktadd behaves as if you had used -e with the list of
permitted_enctypes (note: that's the client-side setting of
permitted_enctypes).
And the Solaris 10 and up kadmind uses 1DES enctypes only for clients
that use the randkey-without-enctypes RPC.
Bottom-line:
- when doing ktadd you really want to specify what enctypes to use or
else default to the *local* permitted_enctypes value, and of the
enctypes you do specify, if you do, at least one should be in listed
in the local permitted_enctypes;
- if you're using straight MIT krb5's kadmin client then you should
just always use the -e argument to ktadd, always.
I think MIT should change kadmin's ktadd command to work more or less as
the Solaris one does.
The above applies only to ktadd, not chpass.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
