[OpenAFS-devel] Re: Issues with keytab creation related to switch to w2k3 w/ ktutil

Douglas E. Engert deengert@anl.gov
Wed, 07 Apr 2004 13:33:25 -0500 

[Openafs-devel, see comments on src/rxkad/ticket5.c and md5 below.]

"Neulinger, Nathan" wrote:
> 
> What approach are you taking with your clients? changing everything to
> use DES-CBC-MD5, or applying this change to your DC's? interactions with
> afs krb524?

Some background:

  o We have used for years use a modified krb524d that accepts a k5 ticket 
    for afsx/cell@realm and then uses a key from a copy of the /usr/afs/etc/KeyFile
    so the keys and kvno's dont have to be the same. 

  o gssklog works similiar in that the gss session is indepented
    of the keys for the tokens. 
 
Both of the above still use V4 based afs tokens. 

the krb524d should beable to convert the tickets from V5 to either V4 or V5
and use des-cbc-crc. There may be a bug in that it uses the input e-type
for the output. 

There are two approaches if you want to use V5 tickets ditrectly or with md5 via
krb524d:

  Fix OpenAFS to accept des-cbc-md5. This is a change to src/rxkad/ticket5.c 
  to replace the "FIXME" comments with md4 and md5. I got this to compile
  yesterday, nad have not tested. I took the Heimdal md5 amd md4 and added
  code to ticket5.c Jeff also added support for large tickets. This would be the
  best long term solution, but requires changes to servers, and clients for
  large tickets.  

 
  Patch the AD with hotfix:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;833708
   But we wahtned to get the NO-PAC hotfix at the same time. Still waiting
   for Microsoft on this. Bit hotfixes change kdcsrv.dll  
   Possible good short term fix, but NO-PAC hotfix if tor W2003 only
   and is not released yet. 


> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul@umr.edu
> University of Missouri - Rolla         Phone: (573) 341-6679
> UMR Information Technology             Fax: (573) 341-4216
> 

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444