[OpenAFS] Windows auth against Kerb5

David Botsch dwb7@ccmr.cornell.edu
Fri, 18 Jun 2004 10:40:20 -0400

So, we've migrated our kaserver to kerb5 (yay!).

Now, what we'd like to do is to get Windows systems to be able to authenticate
against kerberos 5. To maintain compatibility with clients out there, we still
have users with AFS salted keys. 

So, a user's entry might look like:

kadmin:  getprinc bozo
Principal: bozo@MSC.CORNELL.EDU
Expiration date: [never]
Last password change: Thu Jun 17 18:20:45 EDT 2004
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 30 days 00:00:00
Last modified: Thu Jun 17 18:20:45 EDT 2004 
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 12, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 12, DES cbc mode with CRC-32, AFS version 3
Key: vno 12, DES cbc mode with CRC-32, no salt
Policy: [none]

Now, I've been told that this is just an unordered collection of keys. Yet,
somehow, it seems that in the case of windows, whatever happens to be the first
one is the only one that's tried (Windows doesn't specify which one it wants
and so the server just returns the first one in its list and auth fails?).

So, other than my hacking up create user and change password scripts to do
something like "-e des-cbc-crc:normal des-cbc-crc:v4 des3-cbc-sha1:normal" so
that this unordered collection is in an order that Windows works, is the only
solution to sacrifice all other keys so that the one Windows likes is the only
one there?


David William Botsch
Consultant/Advisor II
CCMR Computing Facility