[OpenAFS] Kerberos5 and afs

Russ Allbery rra@stanford.edu
Thu, 15 Nov 2007 14:38:58 -0800


Steve Devine <sdevine@msu.edu> writes:

> Forgive the slightly off topic post but I think it applies here as well
> on the kerberos list Several years ago we moved to MIT kerberos 5. At
> the time I set the master key in the kdc.conf to:

> master_key_type = des-cbc-crc

> I did this to allow transfer of principals from our old kaserver to the
> new kdc.

> Now we are trying to get Windows 2003 AD to auth against our Kerberos
> server and it seems that it will not work with our kdc as it is
> configured.  My question is am I screwed here or just missing something
> easy?  I have tried multiple allowed enctypes and still no luck.

> If I build a kdc without specifying a master key it seems to work.
> Have any others done this same thing?

The master key type doesn't matter at all for cross-realm trust.  The only
thing the master key is used for is encrypting the KDC database on disk.
It is never seen on the wire and no clients of Kerberos are even aware
that it exists.

What matters for cross-realm trust is the enctypes on the cross-realm
krbtgt keys, which must match in both environments (along with the key and
the kvno) and must be of an enctype supported in both environments.  Most
sites these days use rc4-hmac as the cross-realm key type since it's
stronger than DES and supported by both Windows and MIT Kerberos.  If
you're running the latest and greatest Windows AD, you can use AES, but
that's pretty bleeding edge still and most people haven't upgraded that
far yet.

Most cross-realm trust problems with Windows end up being problems with
getting the key and kvno synchronized between the environment or having
extra stray enctypes on the MIT end that Windows doesn't support.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>