[OpenAFS] Kerberos5 and afs

Russ Allbery rra@stanford.edu
Thu, 15 Nov 2007 15:11:09 -0800

Steve Devine <sdevine@msu.edu> writes:

> Does the order of the enctypes listed in the kdc affect this?

In my experience, the enctype list should match exactly.  It doesn't
matter what order you list the enctypes in; if you have enctypes on the
krbtgt key that aren't present in Windows, you may lose.  So, in this

> This is my current kdc.conf entry:
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3

you need to explicitly specify -e des-cbc-crc:normal when creating the
krbtgt cross-realm keys.  Otherwise you'll get a des3 key in your KDC and
since Windows doesn't support des3, you'll lose.

Also, if you're entering a password to create this key, be very careful of
the salting algorithm.  I think that you'll need to fix that on the
Windows side, since IIRC MIT Kerberos can't do the Windows salt but
Windows can do the MIT salt (if configured correctly), but it's been a
long time and I'm forgetting the details.

> I'm not sure how to manipulate the kvno on the AD

It depends on the version of Windows.  Sometimes you can't at all.  And
regardless, since on the MIT side you can just use modprinc -kvno, it's
way easier to make the MIT side match Windows than vice versa.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>