On Thu, 25 Jul 2013, Andrew Deason wrote:
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk <ka...@mit.edu> wrote:
The short version is: a misconfigured KDC can cause problems for new
clients against old servers.
If that's true, we need to say specifically what that misconfiguration
is, so people can check for them and avoid it. I'm not aware of any way
to create such a configuration (that behavior sounds instead like a KDC
bug to me, without knowing any further details).
I almost said "KDC bug", actually. :)
As of MIT krb5 1.11, there are KDC knobs to control which enctypes are
usable as session keys on a per-principal basis, independent of the
long-term key enctypes. I don't know of any other KDCs for which this
sort of thing is possible, but I know almost nothing about the AD KDC, and
as your "how to rekey" document seems to show, there can be a lot of
complicated settings in an AD KDC!
-Ben
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
