[OpenAFS] Kerberos5 and afs
Thu, 15 Nov 2007 19:48:35 -0500
Russ Allbery wrote:
> Steve Devine <email@example.com> writes:
>> Does the order of the enctypes listed in the kdc affect this?
> In my experience, the enctype list should match exactly. It doesn't
> matter what order you list the enctypes in; if you have enctypes on the
> krbtgt key that aren't present in Windows, you may lose. So, in this
>> This is my current kdc.conf entry:
>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>> des-cbc-crc:v4 des-cbc-crc:afs3
> you need to explicitly specify -e des-cbc-crc:normal when creating the
> krbtgt cross-realm keys. Otherwise you'll get a des3 key in your KDC and
> since Windows doesn't support des3, you'll lose.
Ok that was it .. thanks to all. I hate to say how much time I spent on
I am going to continue testing on this and I may post my results when I
have something more coherent.
> Also, if you're entering a password to create this key, be very careful of
> the salting algorithm. I think that you'll need to fix that on the
> Windows side, since IIRC MIT Kerberos can't do the Windows salt but
> Windows can do the MIT salt (if configured correctly), but it's been a
> long time and I'm forgetting the details.
>> I'm not sure how to manipulate the kvno on the AD
> It depends on the version of Windows. Sometimes you can't at all. And
> regardless, since on the MIT side you can just use modprinc -kvno, it's
> way easier to make the MIT side match Windows than vice versa.
Academic Computing & Network Services
Michigan State University
506 Computer Center
East Lansing, MI 48824-1042
Baseball is ninety percent mental; the other half is physical.
- Yogi Berra