[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle -
OK?
Andrew Deason
adeason@sinenomine.net
Fri, 26 Jul 2013 17:02:25 -0500
On Fri, 26 Jul 2013 17:42:03 -0400
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
> That was added as a hotfix to Server 2003. In Server 2000 the KDC
> always issued tickets with the session key and service ticket key
> configured based upon the client specified enctype list. This was a
> bug that was fixed in Server 2003. At the time there were a number of
> Kerberos implementations which would crash if any of the enctypes in
> the ticket were not recognized even if the Kerberos implementation had
> no business attempting to decrypt the service ticket portion. To
> avoid crashing these implementations the above hotfix was added.
Thank you for this explanation.
> If this is in fact the problem, a bug report needs to be filed with
> Microsoft to address the conflict between the DES_ONLY flag and the
> KdcUseRequestedEtypesForTickets option.
And for Lars and others, if you only turned on this option because of
AFS, you may be able to turn it off, since AFS doesn't need it turned
on. Of course, if you are affected by any buggy kerberos client
implementations as mentioned above, you may need it on for other
reasons.
--
Andrew Deason
adeason@sinenomine.net