On Thu, 25 Jul 2013 15:22:50 -0400 (EDT) Benjamin Kaduk <ka...@mit.edu> wrote:
> On Thu, 25 Jul 2013, Sergio Gelato wrote: > > > I've been poking a bit into this. First of all, let's make sure I > > don't misunderstand your expectation here: do you want the KDC to be > > willing to issue a ticket with a des-cbc-crc session key (as > > requested by old aklog) even though the afs service principal does > > not have that enctype? That was the idea. But that doesn't work, as you've seen. Sorry about that; we were trying a lot of different KDC/configuration combinations... > > Or are we Heimdal users expected to add that enctype to afs/cell > > whenever we rekey? That appears to be what you'll need to do, unless you can change the KDC's behavior. If you're expecting to be rekeying the AFS princ regularly or frequently, though... doing that is still usually a disruptive operation, even without this changing-enctype stuff for transitioning to rxkad-k5/rxkad-kdf. That won't change until the Kerberos tools improve. > If the KDC is in a state where it must choose a session key enctype in > the intersection of the service principal's keys and the client's > list, then the latter should always work. The DES key for the > afs/cell principal will need to be entered into the KeyFile or removed > from the rxkad.keytab in order for server-to-server authentication to > work, though. Or just run add_enctype after you extract the keytab. That seems like the easiest way to account for this in the instructions. While I recall it being mentioned that add_enctype may be a relatively new feature, having different enctypes for the service ticket and the session key at all also appears "new", so maybe that is moot. -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info