[OpenAFS] afs krb5 migration

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 23 Apr 2001 11:48:03 -0400

>I suppose there is a bug in the ktadd command that prevent it from
>obeying the kdc.conf configurations so that no afs-aware keys are

Whoah, hold on a second here.

The "key salt" perhaps the most misunderstood thing in Kerberos.  It
is ONLY used for converting a user's plaintext password into an encryption
key.  Saying it's an "afs-aware" key is a COMPLETE misnomer.  ktadd
doesn't generate those other salted keys, because they're completely
meaningless - there's no plaintext password that corresponds to the
encryption key that ktadd generates (well, there MAY be one, but we
don't know what it is :-) ).  I suspect the larger problem is that the 3DES
key was confusing things in there (but I'm not sure exactly where things
were breaking).