[OpenAFS] Kerberos 5 / AFS / PAM

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 18 Jun 2001 13:26:03 -0400

>        I saw the same behavior when attempting to set up Krb5 / AFS
>integration; as I later figured out (with some help from people who'd
>done it before), there is an undocumented 'feature' in the afs-krb5
>migration kit; when you creatye the afs@realm principal, you must do so
>by using kadmin.local with the -e option to specify an AFS salt for the
>key.  According to the documentation, and according to how I'm told it
>should work, you shouldn't have to do this, but I wasn't able to get
>anywhere until I invoked kadmin.local with the '-e "des-cbc-crc:afs3"'
>option to create the afs principal.  Once I did that, I was able to
>transfer the keys as the kit's documentation said, any aklog was happy
>with me.

In defense of the poor, dusty afs-krb5 kit .... this wasn't in the the
documentation for it because it was around before 3DES support was in
Kerberos.  And you don't need an AFS-salted key ... any single-DES key
will do.