[OpenAFS] KA server to MIT KRB5 migration issues

Derrick Brashear shadow@gmail.com
Fri, 7 Nov 2008 15:12:26 -0500


On Fri, Nov 7, 2008 at 2:40 PM, Russ Allbery <rra@stanford.edu> wrote:
> "Derrick Brashear" <shadow@gmail.com> writes:
>> On Fri, Nov 7, 2008 at 1:53 PM, Marcus Watts <mdw@umich.edu> wrote:
>
>>> The AFS3 string to key function uses the cell name as part of the
>>> conversion logic.  For klog (with kaserver) that's guaranteed to be the
>>> case.
>
>> Nope. OpenAFS moved to des string to key by default a while ago. klog
>> tries both, so it "just works".
>
> Only if you have keys in your KDC with v4 salt.  If you're converting from
> a kaserver, you don't, so far as I can tell.  It works for newly changed
> keys, of course.

Not necessarily. But if your site changes you'd (probably) know...
nothing precludes a random password change client from having stored a
des key, though.




-- 
Derrick