Received: from konishi-polis.mit.edu (STRATTON-ONE-FORTY-SIX.MIT.EDU [18.187.5.146]) by krbdev.mit.edu (8.9.3p2) with ESMTP id RAA00668; Fri, 2 Apr 2004 17:02:56 -0500 (EST)
Received: by konishi-polis.mit.edu (Postfix, from userid 8042) id 7151C15159C; Fri,  2 Apr 2004 17:02:56 -0500 (EST)
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2520] Problem with kadmin in 1.3.1
References: <rt-2520-10689.14.5556613661297@krbdev.mit.edu>
From: Sam Hartman <hartmans@mit.edu>
Date: Fri, 02 Apr 2004 17:02:56 -0500
In-Reply-To: <rt-2520-10689.14.5556613661297@krbdev.mit.edu> (""'s message of "Mon, 29 Mar 2004 23:38:02 -0500 (EST)")
Message-Id: <tsld66q82cv.fsf@konishi-polis.mit.edu>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 730

>>>>> ""," == ", Machin@MIT EDU, Glenn D " via RT <rt-comment@krbdev.mit.edu> writes:

    ",> The solution is to have _kadm5_init_any() do what
    ",> gss_init_sec_context does in that, use the encryption types
    ",> that are in both the desired list and what is defined by
    ",> default_tgs_enctypes.

No, it should intersect against default_tkt_enctypes since it is an
initial request.

Your default_tkt_enctypes is not a subset of default_tgs_enctypes, so things fail.

I do believe that the current code does intersect against
default_tkt_enctypes.

You can argue that having both default_tgs_enctypes and
default_tkt_enctypes is confusing and useless.  We'd probably agree.
But it's currently the documented behavior.