[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: krb5 transition: upgrading to krb5 1.6.1

Marcus Better <marcus@better.se> writes:
> Russ Allbery wrote:

>> Correct.  In general, you never want to have Kerberos keys in your KDC
>> for a service principal for enctypes that that service doesn't support.

> Is there an easy way to find out which enctypes a service supports? (And
> why does the poor admin have to worry about this at all?)

The latter you'll have to bring up with the NFSv4 folks, since they should
support all enctypes.  I think NFSv4 and AFS are the only ones with this
problem, and AFS at least has the excuse that it predates the development
of any other enctypes and indeed all of Kerberos v5 by many years.  AFS is
working on this, although it requires a lot of low-level protocol work.

And it's up to the software that doesn't support regular Kerberos enctypes
to let you know in advance that it doesn't.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: