[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service
principle - OK?
Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
On Thu, 25 Jul 2013, Andrew Deason wrote:
> On Thu, 25 Jul 2013 10:57:33 +0200
> Lars Schimmer <email@example.com> wrote:
>> Maybe I am not the best reader, but if I do use a win AD as a krb5
>> auth service and I did not change anything with my keyfiles and
>> everything, should OpenAFS 1.7.26 on Windows work as usual?
> I didn't have anything to do with the Windows client part of this, but
> yes, that's my understanding. For any platform, this release should
> behave the same as the previous one if you don't do anything with
> changing the keys or enctypes, etc.
I think the issue is actually a little more subtle. Prior to yesterday's
releases, all (*) places that got tokens from a TGT explicitly requested a
single-DES enctype for the session key. In yesterday's releases
(including 1.7.26), these places no longer explicitly request single-DES,
and use a KDF to convert any non-DES session keys to DES keys for use in
the AFS wire protocol. In this new version of things, we rely on the KDC
to only supply a DES session key if the AFS server does not support the
KDF scheme. In principle, this is fine, since the afs service principal's
long-term key must be single-DES for the (old) software to work at all,
and in the absence of other information, the KDC should not assume that a
service supports an enctype for which it has no long-term key.
The short version is: a misconfigured KDC can cause problems for new
clients against old servers.
(*) klog.krb5 in 1.4.x did not do so; this was probably just an oversight