[OpenAFS] A problem with authentication

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Thu, 8 Mar 2007 15:20:33 +0000


We have a very old AFS cell, installed with kaserver back in 1991,
and we later migrated to use heimdal instead of kaserver.  This was
working well with Debian sarge installations, which were our standard
setup until recently.  When we started upgrading some of our clients
to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're
seeing problems with some people getting failed login problems
repeatedly (in /var/log/auth.log we see 'Failed password for xxx').
If we change the pam library from libpam-heimdal to the MIT-based
libpam-krb5 (version 2.6-1), there are still some failures, but
not as many.

It's very difficult for me to tell whether this is a Debian
problem or a Heimdal problem or something else.  The Kerberos V
database is a heimdal-kdc (version 0.7.2.dfsg.1-10) into which
we imported our old kaserver database some years ago when we
got rid of the kaserver.

My suspicion is that the problem may be related to the default-keys
definition; in kdc.conf under [kadmin] I have:

     default_keys = v5 des3:pw-salt des:afs3-salt:[cell name]

The problem is, users in the data base have different salts depending
on when they were created or changed their passwords.  The oldest users
have:
     Keytypes: des-cbc-md5(afs3-salt([cell name])), des-cbc-md4(afs3-salt([cell name])), des-cbc-crc(afs3-salt([cell name]))

some users from the middle have:
     Keytypes: des3-cbc-sha1(pw-salt), des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)

and the newest users have:
     Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt), arcfour-hmac-md5(pw-salt), des3-cbc-sha1(pw-salt), des-cbc-md5(afs3-salt([cell name])), des-cbc-md4(afs3-salt([cell name])), des-cbc-crc(afs3-salt([cell name]))

and I'm not sure why the difference exists, other than that the oldest
haven't changed their passwords since before we moved to heimdal.

Suggestions or explanations welcome!

     -- Owen
     Dr. A O V Le Blanc
     LeBlanc@mcc.ac.uk, LeBlanc@man.ac.uk, LeBlanc@manchester.ac.uk