[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document
Jeffrey Hutzelman
jhutz@cmu.edu
Tue, 30 Jul 2013 21:17:23 -0400
On Tue, 2013-07-30 at 19:44 -0400, Jeffrey Altman wrote:
> On 7/30/2013 7:32 PM, Benjamin Kaduk wrote:
> > On Tue, 30 Jul 2013, Jeffrey Altman wrote:
> >
> >> This is an incorrect description. The explicit problem occurs when the
> >> following combination is true:
> >>
> >> 1. user has one or more strong enctype keys with non-default
> >> password salts
> >>
> >> 2. the only keys with default password salts are weak enctypes
> >>
> >> 3. preauth is required
> >
> > A bit off-topic (and feel free to go off-list), but I'm curious if there
> > is anything that can be said in general to be a cause for the presence
> > of non-default salts.
> >
> > Thanks,
> >
> > Ben
>
> Realm or principal renaming without updating the keys. This is not
> specific to Heimdal.
Also, some realms contain keys that date back to when they were running
krb4; these have non-default salts, according to krb5's way of thinking.