[OpenAFS] Re: Windows AFS client / Kerberos V

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 30 Jan 2007 12:53:02 -0500

>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" afs@HEKIMIAN.COM
>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
>I think -randkey causes the salt to be ignored -- I used :afs3 and
>a subsequent getprinc says that the principal has no salt.

It's a bit more complicated than that.  When you use -randkey, you're
creating a random encryption key.  Remember that point.

What the salt does is provide an extra bit of permutation to the
algorithm to convert a password (what humans type) to an encryption key
(what Kerberos actually uses).  AFS uses one salt algorithm; Kerberos
V5 by default uses another.  But if you're creating a random encryption
key, there is no password that corresponds to that encryption key, so
the salt is meaningless; in this case, the Kerberos code is hardcoded
to only use the "normal" salt for DES-based enctypes.  Now that I think
about it, there is probably no reason for this, as it doesn't matter in
any case and it just ends up confusing people.  To complicate matters
further, in MIT Kerberos "no salt" really means "take the default",
which means "Use the V5 salt rules" ...  and you indicate that by
adding ":normal" to the encryption type when you create a key.

>Converting to Kerberos V has been a bit frustrating -- you can't just
>follow a recipe, you have to use Google and learn quite a bit about
>K5 and AFS to work through it all.  I'm still learning.

You now see why I included so much basic material about AFS and Kerberos 5
in the Migration Kit documentation :-/