[OpenAFS] does cross-realm aklog require REQUIRES_PRE_AUTH attribute?

Simon Wilkinson sxw@inf.ed.ac.uk
Sat, 5 May 2007 23:19:08 +0100 (BST)

On Sat, 5 May 2007, Adam Megacz wrote:

> I've found that when doing cross-realm trust between two AFS cells
> (both in MIT KDC realms), the foreign-realm principal trying to
> acquire tokens in the local realm must have REQUIRES_PRE_AUTH as an
> attribute in his/her realm in order for aklog to work.

I've found this happens if the cross realm krbtgt principal has requires 
preauth set. I don't think its a feature of aklog.

However, you really should be using requires preauth on anything that's 
key would be vulnerable to a dictionary attack.