[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

[Benjamin Kaduk]

On Thu, 25 Jul 2013, Andrew Deason wrote:

> On Thu, 25 Jul 2013 10:57:33 +0200
> Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
>
>> Maybe I am not the best reader, but if I do use a win AD as a krb5
>> auth service and I did not change anything with my keyfiles and
>> everything, should OpenAFS 1.7.26 on Windows work as usual?
>
> I didn't have anything to do with the Windows client part of this, but
> yes, that's my understanding. For any platform, this release should
> behave the same as the previous one if you don't do anything with
> changing the keys or enctypes, etc.

I think the issue is actually a little more subtle.  Prior to yesterday's 
releases, all (*) places that got tokens from a TGT explicitly requested a 
single-DES enctype for the session key.  In yesterday's releases 
(including 1.7.26), these places no longer explicitly request single-DES, 
and use a KDF to convert any non-DES session keys to DES keys for use in 
the AFS wire protocol.  In this new version of things, we rely on the KDC 
to only supply a DES session key if the AFS server does not support the 
KDF scheme.  In principle, this is fine, since the afs service principal's 
long-term key must be single-DES for the (old) software to work at all, 
and in the absence of other information, the KDC should not assume that a 
service supports an enctype for which it has no long-term key.

The short version is: a misconfigured KDC can cause problems for new 
clients against old servers.

-Ben

(*) klog.krb5 in 1.4.x did not do so; this was probably just an oversight 
long ago