[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Sergio Gelato Sergio.Gelato@astro.su.se
Fri, 26 Jul 2013 10:57:41 +0200

* Andrew Deason [2013-07-25 14:35:58 -0500]:
> On Thu, 25 Jul 2013 15:22:50 -0400 (EDT)
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> > On Thu, 25 Jul 2013, Sergio Gelato wrote:
> > 
> > > I've been poking a bit into this. First of all, let's make sure I
> > > don't misunderstand your expectation here: do you want the KDC to be
> > > willing to issue a ticket with a des-cbc-crc session key (as
> > > requested by old aklog) even though the afs service principal does
> > > not have that enctype?
> That was the idea. But that doesn't work, as you've seen. Sorry about
> that; we were trying a lot of different KDC/configuration
> combinations...
> > > Or are we Heimdal users expected to add that enctype to afs/cell
> > > whenever we rekey?
> That appears to be what you'll need to do, unless you can change the
> KDC's behavior.

I've now succeeeded in changing the KDC's behavior.

First of all, Heimdal's krb5.conf(5) man page states the wrong defaults
(I've reported this bug). [kdc]svc-use-strongest-session-key is false by
default, toggle it if you want to use the new session key selection

Secondly, the following patch is required:
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -183,9 +183,10 @@
 	if (clientbest != (krb5_enctype)ETYPE_NULL &&
-	    enctype == (krb5_enctype)ETYPE_NULL)
+	    enctype == (krb5_enctype)ETYPE_NULL) {
 	    enctype = clientbest;
-	else if (enctype == (krb5_enctype)ETYPE_NULL)
+	    ret = 0;
+	} else if (enctype == (krb5_enctype)ETYPE_NULL)
 	if (ret == 0 && ret_enctype != NULL)
 	    *ret_enctype = enctype;

I'll submit it to heimdal-bugs for consideration.

> If you're expecting to be rekeying the AFS princ regularly or
> frequently, though... doing that is still usually a disruptive
> operation, even without this changing-enctype stuff for transitioning to
> rxkad-k5/rxkad-kdf. That won't change until the Kerberos tools improve.

Speaking of which, is anyone known to be working on rxkad-kdf support for
Heimdal's libkafs? I'd like kinit --afslog to do the right thing.

> > If the KDC is in a state where it must choose a session key enctype in
> > the intersection of the service principal's keys and the client's
> > list, then the latter should always work.  The DES key for the
> > afs/cell principal will need to be entered into the KeyFile or removed
> > from the rxkad.keytab in order for server-to-server authentication to
> > work, though.
> Or just run add_enctype after you extract the keytab. That seems like
> the easiest way to account for this in the instructions. While I recall
> it being mentioned that add_enctype may be a relatively new feature,
> having different enctypes for the service ticket and the session key at
> all also appears "new", so maybe that is moot.

I've glanced at #10110 in Gerrit, will see if I have any constructive
comments for you. I'd guess that early adopters of rxkad-k5 are likely
to be running a sufficiently recent version of Heimdal (one with DES
disabled by default).