[OpenAFS] Kerberos5 and afs
Russ Allbery
rra@stanford.edu
Thu, 15 Nov 2007 15:11:09 -0800
Steve Devine <sdevine@msu.edu> writes:
> Does the order of the enctypes listed in the kdc affect this?
In my experience, the enctype list should match exactly. It doesn't
matter what order you list the enctypes in; if you have enctypes on the
krbtgt key that aren't present in Windows, you may lose. So, in this
case:
> This is my current kdc.conf entry:
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
you need to explicitly specify -e des-cbc-crc:normal when creating the
krbtgt cross-realm keys. Otherwise you'll get a des3 key in your KDC and
since Windows doesn't support des3, you'll lose.
Also, if you're entering a password to create this key, be very careful of
the salting algorithm. I think that you'll need to fix that on the
Windows side, since IIRC MIT Kerberos can't do the Windows salt but
Windows can do the MIT salt (if configured correctly), but it's been a
long time and I'm forgetting the details.
> I'm not sure how to manipulate the kvno on the AD
It depends on the version of Windows. Sometimes you can't at all. And
regardless, since on the MIT side you can just use modprinc -kvno, it's
way easier to make the MIT side match Windows than vice versa.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>