On 10/3/21 5:34 AM, Dan Mahoney (Gushi) wrote: > My reading of "supported_enctypes" is simply that it will stop kadmin/the > KDC from generating NEW keys of an older type, correct?
Correct. (The KDC doesn't generate long-term keys, so only kadmind/kadmin.local and kdb5_util are affected. Also note that a kadmin client can specify an enctype/salttype list when creating new key sets, in which case supported_enctypes is ignored.) > That if I do a > cpw without -keepold, those keys will be removed -- but otherwise, the KDC > will not act as though a user with 3des-only keys doesn't exist. Correct. Removing an enctype from permitted_enctypes causes the KDC to ignore keys of that type, but supported_enctypes is only about new long-term keys. > Changing it should not break any authentication or tickets? Correct. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
