[OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

Christopher D. Clausen cclausen@acm.org
Fri, 31 Aug 2007 16:33:45 -0500

Just a thought, did you add/change enc_types when you went to 1.6.2? 
E.g. were you supporting AES256, DES3 and DES under krb5-1.4.3 ?  I've 
seen issues with certain things not understanding the AES256 type.


Mike Dopheide <dopheide@ncsa.uiuc.edu> wrote:
> We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good
> enough.  Some principals would start working with klog again after
> another password change, but others needed to be deleted and
> recreated.
> Is anyone else using MIT Kerberos 1.6.2 and klog?
> Mike Dopheide wrote:
>> Number of keys: 5
>> Key: vno 30, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
>> Key: vno 30, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 30, DES cbc mode with CRC-32, no salt
>> Key: vno 30, DES cbc mode with CRC-32, Version 4
>> Key: vno 30, DES cbc mode with CRC-32, AFS version 3
>> Jeffrey Altman wrote:
>>> Matt Elliott wrote:
>>>> We just discovered a problem with our KDC now running MIT 1.6.2. 
>>>> When a user changes their password (previous keys were created
>>>> with our old kdc version 1.4.3 still work) with patches and then
>>>> tries klog it  longer grants tokens. klog returns "Unable to
>>>> authenticate to AFS because password was incorrect."  kinit and a
>>>> subsequent aklog still works.  Has anyone else seen this or have a
>>>> fix?