[Freeipa-users] Strange klist output
Simo Sorce
simo at redhat.com
Sat Feb 25 14:40:55 UTC 2012
On Sat, 2012-02-25 at 09:35 -0500, John Dennis wrote:
> On 02/25/2012 09:20 AM, Simo Sorce wrote:
> > Use -e to see what enctypes are reported.
>
> Is this difference in any way related to s4u2proxy or did the extra
> enctypes show up because we upgraded Kerberos and picked up other
> unrelated behavior at the same time.
No, the contents of the keytab have nothing to do with day to day
operations.
Tickets and TGTs are stored in your ccache.
> Why do we now have all these enctypes? Is it to satify forwarding/proxy
> when you don't know a prori which enctype the foreign endpoint will require?
Because in kerberos each principal can have multiple keys, generally one
per supported (by the KDC) enctype. This is so that a client can use the
strongest enctype it has crypto support for.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list