On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote: > My guess is that your krbtgt/[EMAIL PROTECTED] principal still > only has a des key. 'cpw -randkey -keepold' on that principal to > generate other keys.
Nice. That works. I didn't realize that had to be updated. Which leaves me with a few more questions: 1. What's the difference between the principals [EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] ? They both exist, but krbtgt/ISD.USC.EDU seems to be the ACTUAL ticket granting principal, while [EMAIL PROTECTED] has the DISALLOW_ALL_TIX attribute. 2. As expected doing the cpw on the krbtgt/ISD.USC.EDU ticket provides us with: Key: vno 2, ArcFour with HMAC/md5, no salt Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with CRC-32, no salt and since the kvno is updated, that means I will need to regenerage/ktadd the new version of the key stashfile on all KDC's used to start the KDC, right? 3. Anything else I need to be wary of changing this principal and/or the "other" krbtgt principal? Thanks. -- Phil Dibowitz Systems Architect and Administrator Enterprise Infrastructure / ISD / USC UCC 180 - 213-821-5427
pgpeG1iTOzDpD.pgp
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos