On Fri, Jun 05, 2015 at 07:24:06AM -0400, John Devitofranceschi wrote: > How is ktadd *supposed* to figure out which enctype(s) to use?
Long ago I made Solaris' ktadd use the locally supported enctype list as the default for ktadd, as if they'd been passed via the -e option (which still works, natch). > I am seeing an issue where kadmin’s ktadd, if left to its own devices, > will generate a key with an encryption type that has nothing to do > with the KDC’s supported_enctype list and ktadd seems to completely > ignore the local client’s default/permitted enctype settings. Eh? No, it should not ignore the KDC's supported_enctype list unless it implements the change I mentioned above. The supported_enctypes list was meant to apply only when the client didn't use the -e option. > KDC supports: des3-cbc-sha1 des-cbc-crc (I know, I know) > > Client's krb5.conf tells it to support: des-cbc-crc (I know, I know) <phaser type="disapproval" level="11"> ... </phaser> > > But when we run ktadd the resulting keytab’s key has des-cbc-md5 > > The client is an Oracle Linux with 1.6.1 krb5 client software. > > Also, the KDC is using Sun Solaris 10 Kerberos software (not MIT). > > Thanks for any insight! I bet the Oracle client is using the kadm5_create_principal_3() RPC, which means you don't get the supported_enctypes. Try using the -e option. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
