[OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

Mike Dopheide dopheide@ncsa.uiuc.edu
Fri, 31 Aug 2007 16:02:52 -0500

We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good 
enough.  Some principals would start working with klog again after 
another password change, but others needed to be deleted and recreated.

Is anyone else using MIT Kerberos 1.6.2 and klog?


Mike Dopheide wrote:
> Number of keys: 5
> Key: vno 30, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
> Key: vno 30, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 30, DES cbc mode with CRC-32, no salt
> Key: vno 30, DES cbc mode with CRC-32, Version 4
> Key: vno 30, DES cbc mode with CRC-32, AFS version 3
> -Mike
> Jeffrey Altman wrote:
>> Matt Elliott wrote:
>>> We just discovered a problem with our KDC now running MIT 1.6.2.  When a
>>> user changes their password (previous keys were created with our old kdc
>>> version 1.4.3 still work) with patches and then tries klog it  longer
>>> grants tokens. klog returns "Unable to authenticate to AFS because
>>> password was incorrect."  kinit and a subsequent aklog still works.  Has
>>> anyone else seen this or have a fix?
>> What keys are you generating in the KDC for principals at password 
>> changes?
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info