Andrew Bacchi wrote: > > I'm trying to extract a K5 key for afs. The encryption type seems to be > invalid. > > kadmin: ktadd -e des-cbc-crc [EMAIL PROTECTED] > ktadd: Invalid argument while parsing keysalts des-cbc-crc > > However, if I remove the enctype it writes a DES and DES3 key. > > kadmin: ktadd [EMAIL PROTECTED] > Entry for principal [EMAIL PROTECTED] with kvno 1, encryption type Triple > DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. > Entry for principal [EMAIL PROTECTED] with kvno 1, encryption type DES cbc > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. > > Is this a salt problem? Can I add one of these keys to my AFS kaserver > using asetkey? Must I use -e des-cbc-crc?
Both Sam and Ken are correct, use -e des-cbc-crc:normal Another apporach if you wanted to base the DES key on a password, for example if using a Windows KDC. You would use the Windows ktpass to created the AD entry and set the key from a password. Then you can use the standard AFS "bos_util adddes <kvno>" comamnd to add this to /usr/afs/etc/KeyFile. When bos_util prompts for the password, use the concatination of <password><realm><name><instance> So if your password was 12345678 then you would enter: 12345678WEB.RPI.EDUafs In your case there is not instance. Basicly this is the difference between the V4 and V5 string-to-key routines.) You may still need a keytab as you may still need krb524d, but you can create this using the MIT ktutil addent with the password or the key. > > -- > Facade: Provide a unified interface to a set of interfaces in a > subsystem. > > Andrew Bacchi > Staff Systems Programmer > Rensselaer Polytechnic Institute > phone: 518 276-6415 fax: 518 276-2809 > > http://www.rpi.edu/~bacchi/ > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
