[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Andrew Deason adeason@sinenomine.net
Thu, 25 Jul 2013 14:35:58 -0500


On Thu, 25 Jul 2013 15:22:50 -0400 (EDT)
Benjamin Kaduk <kaduk@MIT.EDU> wrote:

> On Thu, 25 Jul 2013, Sergio Gelato wrote:
> 
> > I've been poking a bit into this. First of all, let's make sure I
> > don't misunderstand your expectation here: do you want the KDC to be
> > willing to issue a ticket with a des-cbc-crc session key (as
> > requested by old aklog) even though the afs service principal does
> > not have that enctype?

That was the idea. But that doesn't work, as you've seen. Sorry about
that; we were trying a lot of different KDC/configuration
combinations...

> > Or are we Heimdal users expected to add that enctype to afs/cell
> > whenever we rekey?

That appears to be what you'll need to do, unless you can change the
KDC's behavior.

If you're expecting to be rekeying the AFS princ regularly or
frequently, though... doing that is still usually a disruptive
operation, even without this changing-enctype stuff for transitioning to
rxkad-k5/rxkad-kdf. That won't change until the Kerberos tools improve.

> If the KDC is in a state where it must choose a session key enctype in
> the intersection of the service principal's keys and the client's
> list, then the latter should always work.  The DES key for the
> afs/cell principal will need to be entered into the KeyFile or removed
> from the rxkad.keytab in order for server-to-server authentication to
> work, though.

Or just run add_enctype after you extract the keytab. That seems like
the easiest way to account for this in the instructions. While I recall
it being mentioned that add_enctype may be a relatively new feature,
having different enctypes for the service ticket and the session key at
all also appears "new", so maybe that is moot.

-- 
Andrew Deason
adeason@sinenomine.net