On Fri, Aug 22, 2008 at 03:30:59PM -0400, Ken Raeburn wrote: > On Aug 21, 2008, at 17:39, Will Fiveash wrote: >> I'm wondering what the best solution is in regards to OpenSolaris krb >> handling the afs3 salt type. Our kdc.conf man page states that only the >> normal salt type is supported and there is a bug CR relating to this: >> >> 6734142 krb should only accept the normal salt type > > I think mainly it'd be an issue for sites that have migrated databases that > were once in kaserver, and haven't forced everyone to change their > passwords. After a password change, a user should be getting the > configured (normally "normal") salt types, I think. But even if the site > has been running MIT or Sun KDCs for years, if some accounts haven't > changed their passwords, the keys stored would still require that the > clients be able to use AFS string-to-key, and that the KDC be able to tell > the clients to do so.
Ken, if AFS currently requires krbv4 then a Solaris KDC can not be used, right? (Solaris krb has never supported krbv4) > I doubt there's much need these days for the KDC to support use of afs3 > salt when updating entries in the database. But both angles are probably > worth asking AFS users about... Based on what Ken and Doug wrote about this I now think that OS krb code should support the AFS string-to-key function for backwards compat but disallow use of the afs3 salttype when creating new princ keys. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
