Description of problem: Copied the working /etc/krb5.conf file from an RHEL v3.4 system to the new RHEL 4.0 system. This /etc/krb5.conf file is used to connect with our DCE security server as the KDC. Discovered that kinit fails with the error message: kinit(v5): No supported encryption types (config file error?) while getting initial credentials Removing the "default_tkt_enctypes = des-cbc-crc" from the [libdefaults] section allows the kinit to work, but all the keys that have been saved in that enctype in the /etc/krb5.keytab file will no longer work. Replacing those keys is not possible. Version-Release number of selected component (if applicable): krb5-workstation-1.3.4-10 How reproducible: edit /etc/krb5.conf to place "default_tkt_enctypes = des-cbc-crc" in the [libdefaults] section. attempt to use kinit Steps to Reproduce: 1. edit /etc/krb5.conf to place "default_tkt_enctypes = des-cbc-crc" in the [libdefaults] section. 2. kinit -V (userid of choice) 3. Actual results: [root@carcajou ~]# kinit -V fcs kinit(v5): No supported encryption types (config file error?) while getting initial credentials [root@carcajou ~]# Expected results: [root@carcajou ~]# kinit -V fcs Password for fcs: Authenticated to Kerberos v5 [root@carcajou ~]# Additional info:
After much research, the solution to the problem (because the KDC is really a DCE security server) is to add the following two lines to the [libdefaults] section: dns_lookup_kdc = false noaddresses = false The first is because we have kdc information for a realm of the same name in DNS as we are converting from DCE to MIT Kerberos -- but it doesn't have the same host entries. The second is because DCE does not allow requests with 0.0.0.0 as the address of the client.