diff options
author | Greg Hudson <ghudson@mit.edu> | 2016-12-04 18:34:41 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2017-01-09 17:14:43 -0500 |
commit | 28c6852615cd4a4e0bee2cfa44d65369c3967802 (patch) | |
tree | 2f83f91b6870cf833546fb618eba8ac9764b95e3 | |
parent | 8f72ad84f40c20885c472e543c4f11973bcbca20 (diff) | |
download | krb5-28c6852615cd4a4e0bee2cfa44d65369c3967802.zip krb5-28c6852615cd4a4e0bee2cfa44d65369c3967802.tar.gz krb5-28c6852615cd4a4e0bee2cfa44d65369c3967802.tar.bz2 |
Add caveats to krbtgt change documentation
In database.rst, describe a couple of krbtgt rollover issues and how
to avoid them.
(cherry picked from commit 56d05e87858b672591c1e6b7869cb08e8b1e0d59)
ticket: 8524
version_fixed: 1.14.5
-rw-r--r-- | doc/admin/database.rst | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/admin/database.rst b/doc/admin/database.rst index c7abc1b..53a17ea 100644 --- a/doc/admin/database.rst +++ b/doc/admin/database.rst @@ -761,6 +761,24 @@ database as well as the new key. For example:: with older kvnos, ideally first making sure that all tickets issued with the old keys have expired. +Only the first krbtgt key of the newest key version is used to encrypt +ticket-granting tickets. However, the set of encryption types present +in the krbtgt keys is used by default to determine the session key +types supported by the krbtgt service (see +:ref:`session_key_selection`). Because non-MIT Kerberos clients +sometimes send a limited set of encryption types when making AS +requests, it can be important to for the krbtgt service to support +multiple encryption types. This can be accomplished by giving the +krbtgt principal multiple keys, which is usually as simple as not +specifying any **-e** option when changing the krbtgt key, or by +setting the **session_enctypes** string attribute on the krbtgt +principal (see :ref:`set_string`). + +Due to a bug in releases 1.8 through 1.13, renewed and forwarded +tickets may not work if the original ticket was obtained prior to a +krbtgt key change and the modified ticket is obtained afterwards. +Upgrading the KDC to release 1.14 or later will correct this bug. + .. _incr_db_prop: |