Brian, On Thu, Jun 09, 2011 at 11:07:50AM +1000, Brian May wrote: > Would be willing to accept a new version of Heimdal in a point release > of Debian? sorry for taking so much time for coming back to you. > > Without this patch, the KDC rejects AS requests that specify DES enctypes > > with "krb5_crypto_init failed: encryption type (1|2|3) not supported" > > (illustrating another oddity, namely that krb5_crypto_init() uses the > > same error message whether the enctype is unknown or known but disabled; > > krb5_enctype_valid() has two distinct error messages) and TGS requests > > result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the > > KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as > > shown by the fact that the AS and TGS requests asked for a DES enctype. And it's only possible to reactivate that enctype by patching the KDC? I would've assumed that it's just a configuration matter on the KDC side. (Like it's the case with MIT Kerberos where you have to adjust "supported_enctypes".) Kind regards Philipp Kern
Attachment:
signature.asc
Description: Digital signature