[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service
principle - OK?
Benjamin Kaduk
kaduk@MIT.EDU
Thu, 25 Jul 2013 12:00:22 -0400 (EDT)
On Thu, 25 Jul 2013, Andrew Deason wrote:
> On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
>> The short version is: a misconfigured KDC can cause problems for new
>> clients against old servers.
>
> If that's true, we need to say specifically what that misconfiguration
> is, so people can check for them and avoid it. I'm not aware of any way
> to create such a configuration (that behavior sounds instead like a KDC
> bug to me, without knowing any further details).
I almost said "KDC bug", actually. :)
As of MIT krb5 1.11, there are KDC knobs to control which enctypes are
usable as session keys on a per-principal basis, independent of the
long-term key enctypes. I don't know of any other KDCs for which this
sort of thing is possible, but I know almost nothing about the AD KDC, and
as your "how to rekey" document seems to show, there can be a lot of
complicated settings in an AD KDC!
-Ben