I think I've got it mostly covered now, enough to pull up changes: Defaults Discussion: - Remove all enctype related items Done. - add examples for the kdc logging Done (commented out, or we'd probably break our own testing). - Remove explicit configs for all but one realm. Thus move to DNS (for example realm that supports it) and leave one example that explicitly sets them This meant just the "kdc =" configuration, right? Not removing all configuration info for all but one realm? Done, though I swapped out CLUB.CC.CMU.EDU for ANDREW.CMU.EDU (data from Athena's krb5.conf), which has SRV records, so we can omit the "kdc =" bits and still be accurate. - Drop Cygnus.com Done. Changes to in code defaults: - kdctimesyncflag to 1 on all platforms - default ccache type to 4 - kdc default master key type will be 3DES Done. Updated texinfo docs. Defaults not in man pages. - Remove AES 256 Done a couple weeks ago. - Max life change to 24 hours (one day) Done, in client library code, and kadmin principal registration defaults. Updated texinfo docs. Defaults not in man pages. (The kinit man page actually lies, and says the default is configured by site. It's compiled in, the libdefaults entry isn't used.) - Max renewable change to one week. The macro for max renewable life was already set this way, but wasn't being used properly. Kadmin defaults to 0, not changed. Updated texinfo docs. - file a bug to Remove kdc_supported_enctypes (this may involve code so need to investigate) Ignoring this for now. Someone who can summon more context than I can at the moment (like, why it's been decided that it definitely needs removing, and whether we care about the functionality) can file it... Ken