[OpenAFS] Re: Windows AFS client / Kerberos V
Joe Buehler
jbuehler@spirentcom.com
Tue, 30 Jan 2007 10:13:13 -0500
There is a discrepancy between the users I imported using the afs-krb5
database migration tool and the afs principal. The users all have
AFS3 salt but the afs principal does not. Is this a problem?
I have not been able to recreate afs@HEKIMIAN.COM with the proper salt.
For example:
ank -kvno 2 -randkey -e "des-cbc-crc:afs3" afs@HEKIMIAN.COM
I end up with:
Principal: afs@HEKIMIAN.COM
Expiration date: [never]
Last password change: Tue Jan 30 09:59:53 EST 2007
Password expiration date: [none]
Maximum ticket life: 7 days 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 30 09:59:53 EST 2007 (jhpb/admin@HEKIMIAN.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
The afs3 salt type appears to have been ignored. Is that a problem
for a Windows client?
Here's my kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
v4_mode = full
[realms]
HEKIMIAN.COM = {
database_name = /usr/krb5-1.5.1/var/krb5kdc/principal
admin_keytab = FILE:/usr/krb5-1.5.1/var/krb5kdc/kadm5.keytab
acl_file = /usr/krb5-1.5.1/var/krb5kdc/kadm5.acl
key_stash_file = /usr/krb5-1.5.1/var/krb5kdc/.k5.HEKIMIAN.COM
kdc_ports = 750,88
max_life = 7d 0h 0m 0s
max_renewable_life = 7d 0h 0m 0s
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
--
Joe Buehler