On 9/09/23 13:24, Mark Davies wrote:
And yes I could probably explicitly add default_etypes = aes256-cts-hmac-sha1-96to krb5.conf to drop the two obsolete types but then I'd have to notice and change it again if at some point in the future heimdal changed its defaults to something new.
For the record the above didn't work. The correct way to set the default keys is to add for example the following to kdc.conf (or krb5.conf)
[kadmin]default_keys = aes256-cts-hmac-sha1-96:pw-salt aes256-cts-hmac-sha384-192:pw-salt
With this added you don't get the segfault as it doesn't try to do arcfour-hmac-md5 so that is a workaround - and one I'll probably go with anyway (ignoring what I said before) as it lets me add additional modern keytypes that heimdal doesn't look like it will be defaulting till 8.
(see https://github.com/heimdal/heimdal/issues/988) cheers mark