[OpenAFS] KA server to MIT KRB5 migration issues
Fri, 7 Nov 2008 15:12:26 -0500
On Fri, Nov 7, 2008 at 2:40 PM, Russ Allbery <email@example.com> wrote:
> "Derrick Brashear" <firstname.lastname@example.org> writes:
>> On Fri, Nov 7, 2008 at 1:53 PM, Marcus Watts <email@example.com> wrote:
>>> The AFS3 string to key function uses the cell name as part of the
>>> conversion logic. For klog (with kaserver) that's guaranteed to be the
>> Nope. OpenAFS moved to des string to key by default a while ago. klog
>> tries both, so it "just works".
> Only if you have keys in your KDC with v4 salt. If you're converting from
> a kaserver, you don't, so far as I can tell. It works for newly changed
> keys, of course.
Not necessarily. But if your site changes you'd (probably) know...
nothing precludes a random password change client from having stored a
des key, though.