[OpenAFS] Kerberos5 and afs

Steve Devine sdevine@msu.edu
Thu, 15 Nov 2007 18:00:34 -0500

Russ Allbery wrote:
> Steve Devine <sdevine@msu.edu> writes:
>> Forgive the slightly off topic post but I think it applies here as well
>> on the kerberos list Several years ago we moved to MIT kerberos 5. At
>> the time I set the master key in the kdc.conf to:
>> master_key_type = des-cbc-crc
>> I did this to allow transfer of principals from our old kaserver to the
>> new kdc.
>> Now we are trying to get Windows 2003 AD to auth against our Kerberos
>> server and it seems that it will not work with our kdc as it is
>> configured.  My question is am I screwed here or just missing something
>> easy?  I have tried multiple allowed enctypes and still no luck.
>> If I build a kdc without specifying a master key it seems to work.
>> Have any others done this same thing?
> The master key type doesn't matter at all for cross-realm trust.  The only
> thing the master key is used for is encrypting the KDC database on disk.
> It is never seen on the wire and no clients of Kerberos are even aware
> that it exists.
Ok thats a huge relief.
> What matters for cross-realm trust is the enctypes on the cross-realm
> krbtgt keys, which must match in both environments (along with the key and
> the kvno) and must be of an enctype supported in both environments.  Most
> sites these days use rc4-hmac as the cross-realm key type since it's
> stronger than DES and supported by both Windows and MIT Kerberos.  If
> you're running the latest and greatest Windows AD, you can use AES, but
> that's pretty bleeding edge still and most people haven't upgraded that
> far yet.
> Most cross-realm trust problems with Windows end up being problems with
> getting the key and kvno synchronized between the environment or having
> extra stray enctypes on the MIT end that Windows doesn't support.
Does the order of the enctypes listed in the kdc affect this?
This is my current kdc.conf entry:
 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des-cbc-crc:v4 des-cbc-crc:afs3
I'm not sure how to manipulate the kvno on the AD

Steve Devine
Storage Systems
Academic Computing & Network Services
Michigan State University

506 Computer Center
East Lansing, MI 48824-1042

Baseball is ninety percent mental; the other half is physical.
- Yogi Berra