[OpenAFS] krb_mk_req failure

Christopher Allen Wing wingc@engin.umich.edu
Tue, 13 Jan 2004 13:43:57 -0500 (EST)

If you experienced this problem after upgrading to the latest Transarc AFS
db servers, it's due to a change which disables Kerberos 4 cross-realm
authentication. (on account of the security vulnerability disclosed last

Unfortunately, this also disables all Kerberos 4 principals with instances
(i.e. imap.hostname).

The fix is to make sure that 'kaserver' runs with the '-crossrealm' flag,
e.g. your


should have an entry:

	bnode simple kaserver 1
	parm /usr/afs/bin/kaserver -crossrealm

This will make those Kerberos 4 principals work again, but also open you
up to the cross-realm authentication vulnerability. I think this is okay
as long as you don't actually have cross-realm keys, but I'm not sure.
Comments from anyone?

In the long term, you should upgrade to Kerberos 5.

-Chris Wing

On Tue, 13 Jan 2004, ERIC K. CHEU wrote:

> After upgrading to solve the latest ubik syncronization problems on our
> AFS solaris 7 servers, krb_mk_req function seems to fail no matter what I
> put in it.  Upgraded kth kerberos but still the same issues, error is:
> 8 Principal unknown (kerberos)
> which doesn't make sense, of course, since when I do a kas examine, the
> principal is known (and can authenticate against).  Too bad transarc
> apparently did not include solaris 7 binaries in their latest patch
> (#9).  Only other recourse is to move to openafs libraries and see if that
> works (or maybe upgrade to solaris 8).