[OpenAFS-devel] Kerberos V, KeyFile questions

Sean O'Malley omalleys@msu.edu
Fri, 4 Jun 2004 14:02:01 -0400 (EDT) 

Okay I have kerbV running and I can use aklog to get a token and things
seem peachy with that part of the upgrade.

We need klog support and it is my understanding that MIT KrbV doesn't
support the RX protocol without using fakeka so I am trying to get fakeka
running.

I run
kadmin:  ktadd -k /etc/krb5.keytab -e des-cbc-crc afs@CORESYS.CL.MSU.EDU
ktadd: Invalid argument while parsing keysalts de-cbc-crc

I do:
kadmin:  ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal afs@CORESYS.CL.MSU.EDU
Entry for principal afs@CORESYS.CL.MSU.EDU with kvno 4, encryption type DES cbc
mode with CRC-32 added to keytab

Is this the right salt? I run asetkey which should copy this back to the
KeyFile, and it works but I am still getting this error.

[root@open-afsdb1 test4]#fakeka
fakeka: No matching key in entry while decrypting the master key

The only thing I can think of is des-cbc-crc:normal needs to be something
else or I am missing needed arguments to fakeka.

Do I need to initialize this in the BosConfig file by adding fakeka
as a server too?

I kind of hit a brickwall so any help would be appreciated.

Thanks

Sean
--------------------------------------
  Sean O'Malley, Information Technologist
  Michigan State University
-------------------------------------

On Mon, 17 May 2004, Douglas E. Engert wrote:

>
>
> Garrett Wollman wrote:
> >
> > <<On Fri, 14 May 2004 19:45:36 -0400 (EDT), "Sean O'Malley" <omalleys@msu.edu> said:
> >
> > > will take at least a year. I would like to dump kerberos IV support
> > > altogether. I am just wondering about the feasibility of the plan.
> >
> > We did not make any transition, but we are running a pure-v5
> > environment with no Kerberos-related problems.  There are still a few
> > issues we'd like to get resolved; most importantly, geting kafs to use
> > a stronger encryption algorithm than single-DES.  (afs is the only
> > principal in our KDC that has a single-DES key and we'd like to get
> > disable 1DES entirely.)  We do run krb524d, in standalone mode, on the
> > AFS dbservers to support ticket mangling for Unix clients using
> > `aklog', and we also run gssklogd but plan to stop now that the
> > current Windows client and KfW support using v5 tickets directly.
>
> Note that AFS 1.3.64 will still only use DES keys. To do otherwise will
> require some major changes to AFS. 1.3.64 added des-cbc-md5 and des-cbc-md4
> to the existing des-cbc-crc as will as allowing ticket large then 344 bytes.
>
>
>
> >
> > -GAWollman
> >
> > _______________________________________________
> > OpenAFS-devel mailing list
> > OpenAFS-devel@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-devel
>
>