Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-09-02 Thread Stephen Joyce 
FWIW, I've been running 1.6.1 (not 1.6.2 though) on production KDCs since 
June 28. Everything seems to be working fine. I can get tokens via 
kinit/aklog and plain klog (using fakeka).


The KDCs currently run Solaris, but that's going to change "real soon now" 
once I've have had a chance to fully test our new Debian KDCs.


Cheers, Stephen
--
Stephen Joyce
Systems AdministratorP A N I C
Physics & Astronomy Department Physics & Astronomy
University of North Carolina at Chapel Hill Network Infrastructure
voice: (919) 962-7214and Computing
fax: (919) 962-0480   http://www.panic.unc.edu

 Some people make the world turn and others just watch it spin.
   -- Jimmy Buffet

On Sat, 1 Sep 2007, Jeffrey Altman wrote:


Mike Dopheide wrote:

We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good
enough.  Some principals would start working with klog again after
another password change, but others needed to be deleted and recreated.

Is anyone else using MIT Kerberos 1.6.2 and klog?

-Mike


My guess is that there aren't a lot of sites that have made the
migration to MIT Kerberos 1.6 on their production KDCs.  There is not
a compelling reason for making that transition unless you are
migrating the back-end database to use LDAP.

To find out what is really going on, fakeka will have to be debugged
to determine when the KABADREQUEST error is being generated.

Jeffrey Altman





___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


--



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-09-01 Thread Jeffrey Altman 
Mike Dopheide wrote:
> We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good
> enough.  Some principals would start working with klog again after
> another password change, but others needed to be deleted and recreated.
> 
> Is anyone else using MIT Kerberos 1.6.2 and klog?
> 
> -Mike

My guess is that there aren't a lot of sites that have made the
migration to MIT Kerberos 1.6 on their production KDCs.  There is not
a compelling reason for making that transition unless you are
migrating the back-end database to use LDAP.

To find out what is really going on, fakeka will have to be debugged
to determine when the KABADREQUEST error is being generated.

Jeffrey Altman





___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-08-31 Thread Christopher D. Clausen 
Just a thought, did you add/change enc_types when you went to 1.6.2? 
E.g. were you supporting AES256, DES3 and DES under krb5-1.4.3 ?  I've 
seen issues with certain things not understanding the AES256 type.

< wrote:
> We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good
> enough.  Some principals would start working with klog again after
> another password change, but others needed to be deleted and
> recreated.
> Is anyone else using MIT Kerberos 1.6.2 and klog?
>
> Mike Dopheide wrote:
>> Number of keys: 5
>> Key: vno 30, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
>> Key: vno 30, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 30, DES cbc mode with CRC-32, no salt
>> Key: vno 30, DES cbc mode with CRC-32, Version 4
>> Key: vno 30, DES cbc mode with CRC-32, AFS version 3
>>
>> Jeffrey Altman wrote:
>>> Matt Elliott wrote:
 We just discovered a problem with our KDC now running MIT 1.6.2. 
 When a user changes their password (previous keys were created
 with our old kdc version 1.4.3 still work) with patches and then
 tries klog it  longer grants tokens. klog returns "Unable to
 authenticate to AFS because password was incorrect."  kinit and a
 subsequent aklog still works.  Has anyone else seen this or have a
 fix? 


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-08-31 Thread Mike Dopheide 
We've also found that reverting back to MIT Kerberos 1.4.3 wasn't good 
enough.  Some principals would start working with klog again after 
another password change, but others needed to be deleted and recreated.


Is anyone else using MIT Kerberos 1.6.2 and klog?

-Mike

Mike Dopheide wrote:

Number of keys: 5
Key: vno 30, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 30, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 30, DES cbc mode with CRC-32, no salt
Key: vno 30, DES cbc mode with CRC-32, Version 4
Key: vno 30, DES cbc mode with CRC-32, AFS version 3

-Mike

Jeffrey Altman wrote:

Matt Elliott wrote:

We just discovered a problem with our KDC now running MIT 1.6.2.  When a
user changes their password (previous keys were created with our old kdc
version 1.4.3 still work) with patches and then tries klog it  longer
grants tokens. klog returns "Unable to authenticate to AFS because
password was incorrect."  kinit and a subsequent aklog still works.  Has
anyone else seen this or have a fix?


What keys are you generating in the KDC for principals at password 
changes?



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-08-23 Thread Mike Dopheide 

Number of keys: 5
Key: vno 30, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 30, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 30, DES cbc mode with CRC-32, no salt
Key: vno 30, DES cbc mode with CRC-32, Version 4
Key: vno 30, DES cbc mode with CRC-32, AFS version 3

-Mike

Jeffrey Altman wrote:

Matt Elliott wrote:

We just discovered a problem with our KDC now running MIT 1.6.2.  When a
user changes their password (previous keys were created with our old kdc
version 1.4.3 still work) with patches and then tries klog it  longer
grants tokens. klog returns "Unable to authenticate to AFS because
password was incorrect."  kinit and a subsequent aklog still works.  Has
anyone else seen this or have a fix?


What keys are you generating in the KDC for principals at password changes?


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-08-23 Thread Jeffrey Altman 
Matt Elliott wrote:
> We just discovered a problem with our KDC now running MIT 1.6.2.  When a
> user changes their password (previous keys were created with our old kdc
> version 1.4.3 still work) with patches and then tries klog it  longer
> grants tokens. klog returns "Unable to authenticate to AFS because
> password was incorrect."  kinit and a subsequent aklog still works.  Has
> anyone else seen this or have a fix?

What keys are you generating in the KDC for principals at password changes?



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] klog with sites using fakeka against MIT1.6.2 broken?

2007-08-23 Thread Russ Allbery 
Matt Elliott <[EMAIL PROTECTED]> writes:

> We just discovered a problem with our KDC now running MIT 1.6.2.  When a
> user changes their password (previous keys were created with our old kdc
> version 1.4.3 still work) with patches and then tries klog it longer
> grants tokens. klog returns "Unable to authenticate to AFS because
> password was incorrect."  kinit and a subsequent aklog still works.  Has
> anyone else seen this or have a fix?

I suspect referrals broke something, mostly because almost everything that
breaks after upgrading to 1.6.2 is because of referrals.

-- 
Russ Allbery ([EMAIL PROTECTED]) 
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info