[OpenAFS] ka-forwarder -> fakeka malformed (bad password)

John W. Sopko Jr. sopko@cs.unc.edu
Thu, 29 Jun 2006 20:08:14 -0400


 >>My Kerberos REALM name and CELL name our DIFFERENT. I need to do this
 >>since our Windows group took over our the REALM name that is the same
 >>as the AFS cell name for their Kerberos system.

 >Unfortunately, this puts a bit of a crimp in things.  But it may not be
 >your real problem.

 >You need to have passwords in the V5 database that AFS can understand.
 >Do you?  In this case, they probably either need to be V4 salted or AFS
 >salted .. and if they're AFS-salted, then they probably have the wrong
 >salt.  And to answer your next likely question ... there's no way to convert
 >keys in the database to ones with the "right" salt.

Is there a way to tell what the salt is? Sounds like there
is some mix up with the cell name (cs.unc.edu) and the
kerberos realm name (CXS.UNC.EDU).

The default encryption types for the user are below. Can fakeka handle
picking out the right one or does there need to be just one
type specified? I tried setting the single key types
with "cpw -e des-cbc-crc:v4 sopko" and
"cpw -e des-cbc-crc:normal" i.e.:

Key: vno 12, DES cbc mode with CRC-32, AFS version 3
Key: vno 13, DES cbc mode with CRC-32, no salt

and these did not work.

I never did understand what sets the 8 default types
shown below, if you set a single type withe the -e option
then change the passwd with kadmin or kpasswd you get the
following 8 types.

kadmin:  getprinc sopko
Principal: sopko@CSX.UNC.EDU
Expiration date: [never]
Last password change: Thu Jun 29 19:45:24 EDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Thu Jun 29 19:45:24 EDT 2006 (adams/admin@CSX.UNC.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 14, ArcFour with HMAC/md5, no salt
Key: vno 14, ArcFour with HMAC/md5, Version 5 - No Realm
Key: vno 14, ArcFour with HMAC/md5, Version 5 - Realm Only
Key: vno 14, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 14, DES with HMAC/sha1, no salt
Key: vno 14, DES cbc mode with RSA-MD5, no salt
Key: vno 14, DES cbc mode with CRC-32, Version 4
Key: vno 14, DES cbc mode with CRC-32, AFS version 3
Attributes:
Policy: [none]


-- 
John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175