[OpenAFS] Kerberos5 and afs

Christopher D. Clausen cclausen@acm.org
Thu, 15 Nov 2007 16:29:52 -0600


Steve Devine <sdevine@msu.edu> wrote:
> Forgive the slightly off topic post but I think it applies here as
> well on the kerberos list
> Several years ago we moved to MIT kerberos 5. At the time I set the
> master key in the  kdc.conf  to:
> master_key_type = des-cbc-crc
> I did this to allow transfer of principals from our old kaserver to
> the new kdc.
> Now we are trying to get Windows 2003 AD to auth against our Kerberos
> server and it seems that it will not work with our kdc as it is
> configured. My question is am I screwed here or just missing
> something easy?  I have tried multiple allowed enctypes and still no
> luck. If I build a kdc without specifying a master key it seems to 
> work.
> Have any others done this same thing?

Can you be more specific with what you are attempting?  Windows AD can
trust an MIT realm.  (I have multiple MIT realms trusting AD.UIUC.EDU,
one using a des3 master key type and one using des as above.)  As far as
I can tell, the master key type should not actually matter.

<<CDC