Steps to remove AES-256 settings.
If you do not use AES-256, you must remove the AES-256 settings as an allowed cypher
for each principal and then regenerate the keys for the krbtgt principal.
Prerequisites
These methods require Kerberos 5-1.2 on the KDC.
Procedure
Remove AES-256 settings in one of the following ways:
-
If you have not created the principals, use the -e flag
to specify encryption:salt type pairs. For example: -e
"arcfour-hmac:normal des3-hmac-sha1:normal".
-
If you have already created the principals, modify the Kerberos principals
using the -e flag as described above and then recreate the
keytab file.
Alternately, you can modify the
/etc/krb5kdc/kdc.conf
file by removing any entries containing
aes256 from the
supported_enctypes variable for the realm in which the
DataStax Enterprise nodes are members. Then change the keys for the krbtgt
principal.
Note: If the KDC is used by other applications, changing the
krbtgt principal's keys invalidates any existing tickets. To prevent this,
use the
-keepold option when executing the
change_password command. For example:
'cpw -randkey krbtgt/krbtgt/REALM@REALM'