[OpenAFS] Kerberos5 and afs
Steve Devine
sdevine@msu.edu
Thu, 15 Nov 2007 19:48:35 -0500
Russ Allbery wrote:
> Steve Devine <sdevine@msu.edu> writes:
>
>
>> Does the order of the enctypes listed in the kdc affect this?
>>
>
> In my experience, the enctype list should match exactly. It doesn't
> matter what order you list the enctypes in; if you have enctypes on the
> krbtgt key that aren't present in Windows, you may lose. So, in this
> case:
>
>
>> This is my current kdc.conf entry:
>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>> des-cbc-crc:v4 des-cbc-crc:afs3
>>
>
> you need to explicitly specify -e des-cbc-crc:normal when creating the
> krbtgt cross-realm keys. Otherwise you'll get a des3 key in your KDC and
> since Windows doesn't support des3, you'll lose.
>
>
Ok that was it .. thanks to all. I hate to say how much time I spent on
this.
I am going to continue testing on this and I may post my results when I
have something more coherent.
Thanks again.
/sd
> Also, if you're entering a password to create this key, be very careful of
> the salting algorithm. I think that you'll need to fix that on the
> Windows side, since IIRC MIT Kerberos can't do the Windows salt but
> Windows can do the MIT salt (if configured correctly), but it's been a
> long time and I'm forgetting the details.
>
>
>> I'm not sure how to manipulate the kvno on the AD
>>
>
> It depends on the version of Windows. Sometimes you can't at all. And
> regardless, since on the MIT side you can just use modprinc -kvno, it's
> way easier to make the MIT side match Windows than vice versa.
>
>
--
Steve Devine
Storage Systems
Academic Computing & Network Services
Michigan State University
506 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327
Baseball is ninety percent mental; the other half is physical.
- Yogi Berra