[OpenAFS] Kerberos5 and afs

Steve Devine sdevine@msu.edu
Thu, 15 Nov 2007 19:48:35 -0500

Russ Allbery wrote:
> Steve Devine <sdevine@msu.edu> writes:
>> Does the order of the enctypes listed in the kdc affect this?
> In my experience, the enctype list should match exactly.  It doesn't
> matter what order you list the enctypes in; if you have enctypes on the
> krbtgt key that aren't present in Windows, you may lose.  So, in this
> case:
>> This is my current kdc.conf entry:
>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>> des-cbc-crc:v4 des-cbc-crc:afs3
> you need to explicitly specify -e des-cbc-crc:normal when creating the
> krbtgt cross-realm keys.  Otherwise you'll get a des3 key in your KDC and
> since Windows doesn't support des3, you'll lose.
Ok that was it .. thanks to all. I hate to say how much time I spent on 
I am going to continue testing on this and I may post my results when I 
have something more coherent.
Thanks again.

> Also, if you're entering a password to create this key, be very careful of
> the salting algorithm.  I think that you'll need to fix that on the
> Windows side, since IIRC MIT Kerberos can't do the Windows salt but
> Windows can do the MIT salt (if configured correctly), but it's been a
> long time and I'm forgetting the details.
>> I'm not sure how to manipulate the kvno on the AD
> It depends on the version of Windows.  Sometimes you can't at all.  And
> regardless, since on the MIT side you can just use modprinc -kvno, it's
> way easier to make the MIT side match Windows than vice versa.

Steve Devine
Storage Systems
Academic Computing & Network Services
Michigan State University

506 Computer Center
East Lansing, MI 48824-1042

Baseball is ninety percent mental; the other half is physical.
- Yogi Berra