Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id l3THa5L8012980; Sun, 29 Apr 2007 13:36:05 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l3THa09C005016; Sun, 29 Apr 2007 13:36:00 -0400 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l3THZxbu005010 for ; Sun, 29 Apr 2007 13:35:59 -0400 Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id l3THZvCj001944 for ; Sun, 29 Apr 2007 13:35:58 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (STRATTON-THREE-NINETY-NINE.MIT.EDU [18.187.6.144]) by mit.edu (Spam Firewall) with ESMTP id 968784657C6 for ; Sun, 29 Apr 2007 13:35:57 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 5DFD049B6; Sun, 29 Apr 2007 13:35:57 -0400 (EDT) From: Sam Hartman To: krb5-bugs@MIT.EDU Subject: krb5_set_default_tgs_enctypes does not work in Kerberos 1.6 Date: Sun, 29 Apr 2007 13:35:57 -0400 Message-ID: User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: 0.00 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: us-ascii Content-Length: 1022 gss_set_allowable_enctypes eventually ends up causing krb5_set_default_tgs_enctypes to be called on a krb5_context. We've been seeing a problem on Debian for 1.6 and 1.6.1 where the NFS rpc.gssd ends up with an aes context even though it only supports a des context and requests same by calling gss_set_allowable_enctypes. I walked through this in gdb and found that while tgs_ktypes is getting set in the context passed into krb5_get_credentials it is not being respected. The credentials coming back from krb5_get_credentials are (in my case) aes. The request to the KDC includes all the enctypes. I suspect the referrals code interacts badly with use_conf_ktypes or something like that. I actually don't see how referrals could work well with use_conf_ktypes because I think they have conflicting requirements. Before fixing this bug it is important to first understand what is going on and second have a discussion on krbdev about what should happen instead. I don't think this will be a simple fix. --Sam