From: Tom Yu <tlyu@mit.edu>
Date: Tue, 18 Dec 2012 00:22:52 +0000 (-0500)
Subject: Clarify enctype settings in krb5_conf.rst
X-Git-Tag: krb5-1.12-alpha1~407
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b11883ad8647a73a12a17c1be2c75f5365719342;p=thirdparty%2Fkrb5.git

Clarify enctype settings in krb5_conf.rst

Clarify the krb5.conf settings default_tkt_enctypes and
default_tgs_enctypes in krb5_conf.rst.

ticket: 7513 (new)
target_version: 1.11
tags: pullup
---

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6911f5c69a..60a9d06ff2 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -157,23 +157,33 @@ The libdefaults section may contain any of the following relations:
 
 **default_tgs_enctypes**
     Identifies the supported list of session key encryption types that
-    should be returned by the KDC, in order of preference from
-    highest to lowest.  The list may be delimited with commas or
-    whitespace.  See :ref:`Encryption_and_salt_types` in
+    the client should request when making a TGS-REQ, in order of
+    preference from highest to lowest.  The list may be delimited with
+    commas or whitespace.  See :ref:`Encryption_and_salt_types` in
     :ref:`kdc.conf(5)` for a list of the accepted values for this tag.
     The default value is |defetypes|, but single-DES encryption types
     will be implicitly removed from this list if the value of
     **allow_weak_crypto** is false.
 
+    Do not set this unless required for specific backward
+    compatibility purposes; stale values of this setting can prevent
+    clients from taking advantage of new stronger enctypes when the
+    libraries are upgraded.
+
 **default_tkt_enctypes**
     Identifies the supported list of session key encryption types that
-    should be requested by the client, in order of preference from
-    highest to lowest.  The format is the same as for
+    the client should request when making an AS-REQ, in order of
+    preference from highest to lowest.  The format is the same as for
     default_tgs_enctypes.  The default value for this tag is
     |defetypes|, but single-DES encryption types will be implicitly
     removed from this list if the value of **allow_weak_crypto** is
     false.
 
+    Do not set this unless required for specific backward
+    compatibility purposes; stale values of this setting can prevent
+    clients from taking advantage of new stronger enctypes when the
+    libraries are upgraded.
+
 **dns_lookup_kdc**
     Indicate whether DNS SRV records should be used to locate the KDCs
     and other servers for a realm, if they are not listed in the