On 9/09/23 13:24, Mark Davies wrote:
And yes I could probably explicitly add
default_etypes = aes256-cts-hmac-sha1-96
to krb5.conf to drop the two obsolete types but then I'd have to notice
and change it again if at some point in the future heimdal changed its
defaults to something new.
For the record the above didn't work. The correct way to set the
default keys is to add for example the following to kdc.conf (or krb5.conf)
[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt
aes256-cts-hmac-sha384-192:pw-salt
With this added you don't get the segfault as it doesn't try to do
arcfour-hmac-md5 so that is a workaround - and one I'll probably go with
anyway (ignoring what I said before) as it lets me add additional modern
keytypes that heimdal doesn't look like it will be defaulting till 8.
(see https://github.com/heimdal/heimdal/issues/988)
cheers
mark
