[OpenAFS] A problem with authentication

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 08 Mar 2007 10:41:37 -0500


>and I'm not sure why the difference exists, other than that the oldest
>haven't changed their passwords since before we moved to heimdal.

The short answer is that the plaintext password gets converted via a
one-way algorithm to the encryption key used by Kerberos.  So if you
have an afs3-salted key (one particular algorithm) there is no way to
convert that to a new key/salt type without knowing the original
password.

One thing that isn't clear to me: is the problem that various people
are having problems occasionally, or is it the _same_ people are having
the problem?  (In other words, does it fail for user X 100% of the time?)
The former doesn't sound like a keysalt problem, but the latter almost
certainly is.

It shouldn't be too bad to track down which sets of users are having
the problem.  Now, how to fix it?  Well, that depends if it's the oldest
or newest users that are having the problem.  In theory the newer Kerberos
code should work fine with the older enctypes, but it wouldn't surprise me
if you also went from using Kerberos 4 natively to Kerberos 5 (that's just
a guess).  One simple thing to do would be to start enforcing password
changes (which you know you should be doing anyway); that would ensure that
all users have the same set of enctypes.  If you didn't mind doing some
programming you could create a new libpam which took the user's plaintext
password and did a password change for the user.  This all supposes that
the problem is key/salt related.

--Ken