[OpenAFS] Re: rxk error: caller not authorized
J Maynard Gelinas
gelinas@lns.mit.edu
Sun, 25 Apr 2004 16:33:47 -0400 (EDT)
Another epiphany!
The Debian changelog for krb5-1.2.4-5woody4 states:
krb5 (1.2.4-5woody4) stable-security; urgency=high
* Patch for CERT VU#623217 and VU#442569: Cryptographic weaknesses in
Kerberos 4
- Add -X option to krb5kdc and krb524d. By default cross-realm is
no longer supported for krb4 as it is a security hole.
- Add protection to isolate krb5 keys from krb4 especially for the
TGS key
--> - Remove support for the MIT extension to krb4 to use 3DES keys as
it is insecure.
* Patch to various DOS issues where the KDC assumes principal names have
certain components. Fixes CAN-2003-0072
* Patch for CERT VU#516825: Additional errors in XDR that may lead to
denial of service.
-- Sam Hartman <hartmans@debian.org> Mon, 17 Mar 2003 23:18:51 -0500
And upon reverting back to woody3 packages my problem on the slave goes
away! Sooooooo.... I think using 3DES key for K/M is the cause. Now, can I
fix this without doing something drastic to my kerberos database (like
hand editing a dump file wasn't drastic enough)? If not, should I dump V4
TGT conversion on the clients? Any suggestions? And again, thanks for all
the help!
Cheers,
--Maynard
On Sun, 25 Apr 2004, J Maynard Gelinas wrote:
>
> What I'm thinking is that the encrypion type of 3DES cbc mode with
> HMAC/sha1 for krbtgt/LNS.MIT.EDU@LNS.MIT.EDU is the real culprit here.
> Assuming that the new krb524d won't accept that encryptiom type, and
> that's the true cause, are there any recommendations for an easy way out
> of this mess? And if that's not the cause, could any of the other changes
> listed be relevant to the cause?
>