[OpenAFS] Re: Windows AFS client / Kerberos V

Joe Buehler jbuehler@spirentcom.com
Tue, 30 Jan 2007 10:13:13 -0500


There is a discrepancy between the users I imported using the afs-krb5
database migration tool and the afs principal.  The users all have
AFS3 salt but the afs principal does not.  Is this a problem?

I have not been able to recreate afs@HEKIMIAN.COM with the proper salt.
For example:

ank -kvno 2 -randkey -e "des-cbc-crc:afs3" afs@HEKIMIAN.COM

I end up with:

Principal: afs@HEKIMIAN.COM
Expiration date: [never]
Last password change: Tue Jan 30 09:59:53 EST 2007
Password expiration date: [none]
Maximum ticket life: 7 days 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 30 09:59:53 EST 2007 (jhpb/admin@HEKIMIAN.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

The afs3 salt type appears to have been ignored.  Is that a problem
for a Windows client?

Here's my kdc.conf:

[kdcdefaults]
	kdc_ports = 750,88
	v4_mode = full

[realms]
	HEKIMIAN.COM = {
		database_name = /usr/krb5-1.5.1/var/krb5kdc/principal
		admin_keytab = FILE:/usr/krb5-1.5.1/var/krb5kdc/kadm5.keytab
		acl_file = /usr/krb5-1.5.1/var/krb5kdc/kadm5.acl
		key_stash_file = /usr/krb5-1.5.1/var/krb5kdc/.k5.HEKIMIAN.COM
		kdc_ports = 750,88
		max_life = 7d 0h 0m 0s
		max_renewable_life = 7d 0h 0m 0s
		supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
	}
-- 
Joe Buehler