>and I'm not sure why the difference exists, other than that the oldest >haven't changed their passwords since before we moved to heimdal.
The short answer is that the plaintext password gets converted via a one-way algorithm to the encryption key used by Kerberos. So if you have an afs3-salted key (one particular algorithm) there is no way to convert that to a new key/salt type without knowing the original password. One thing that isn't clear to me: is the problem that various people are having problems occasionally, or is it the _same_ people are having the problem? (In other words, does it fail for user X 100% of the time?) The former doesn't sound like a keysalt problem, but the latter almost certainly is. It shouldn't be too bad to track down which sets of users are having the problem. Now, how to fix it? Well, that depends if it's the oldest or newest users that are having the problem. In theory the newer Kerberos code should work fine with the older enctypes, but it wouldn't surprise me if you also went from using Kerberos 4 natively to Kerberos 5 (that's just a guess). One simple thing to do would be to start enforcing password changes (which you know you should be doing anyway); that would ensure that all users have the same set of enctypes. If you didn't mind doing some programming you could create a new libpam which took the user's plaintext password and did a password change for the user. This all supposes that the problem is key/salt related. --Ken _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info