[OpenAFS] krb5 migration questions
Derek Atkins
warlord@MIT.EDU
11 Jun 2003 17:05:27 -0400
David Botsch <dwb7@ccmr.cornell.edu> writes:
> Two questions on krb5 migration, which we are in the process of testing (btw, I
> am writing up what we do and will submit it for wiki, etc when we are done).
>
> The first question is on this note in the wiki:
>
> if using krb5 1.2.6 or later from MIT, add to krb5.conf on krb524d host to
> continue using old-style krb4 ticket derived tokens:
>
> [appdefaults]
> afs_krbt = {
> REALM.NAME = {
> afs=false
> afs/cell.name = false
> }
> }
>
> Why, exactly, is this necessary? And, are we referring to aklog type tokens
> here, etc (Macs, for example, initially get tokens with aklog'ing on krb4
> tickets).
This is necessary if you have older OpenAFS servers (or Transarc
Servers) that don't understand the "rxkad2b" krb5 token. If you're
using modern OpenAFS servers then you do not need this.
> Next:
> It is mentioned many times that the afs principle in krb5 should be created
> with -e des-cbc-crc:v4
>
> Why not des-cbc-crc:afs3 ?
Because then you're creating a random key you do not need to specify the
salt. Indeed, you don't even need to specify :v4!
> And, I have noted that when doing:
> kadmin: addprinc -randkey -e des-cbc-crc:v4 afs
>
> kadmin: getprinc afs
>
> (snip)
> Key: vno 1, DES cbc mode with CRC-32, no salt
> (snip)
>
> Ok, so, no salt? Is this right? Is this a bug in krb5 version that we have?
Yes, this is right. The SALT is only used for the string-to-key...
But there is no string-to-key for a random key... There is no
"password" that you can type to get the AFS key. So "no salt" is
perfectly correct. Also the "no salt" is what you get from the ":v4"
above. v4 == no salt.
> Examining a user imported with the krb5 migration kit:
>
> Key: vno 0, DES cbc mode with CRC-32, AFS version 3
>
> On the test krb5 server, I can still get tokens (from Linux, at least) using klog and fakeka.
> So, maybe nothing is wrong. Or maybe this will cause a problem in the future?
> Problems with other OSes maybe?
nope. not at all. The only issue is the string-to-key for the user
principals. Your AFS key doesn't matter one bit.
> Thanks!
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available