We have a very old AFS cell, installed with kaserver back in 1991, and we later migrated to use heimdal instead of kaserver. This was working well with Debian sarge installations, which were our standard setup until recently. When we started upgrading some of our clients to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're seeing problems with some people getting failed login problems repeatedly (in /var/log/auth.log we see 'Failed password for xxx'). If we change the pam library from libpam-heimdal to the MIT-based libpam-krb5 (version 2.6-1), there are still some failures, but not as many.
It's very difficult for me to tell whether this is a Debian problem or a Heimdal problem or something else. The Kerberos V database is a heimdal-kdc (version 0.7.2.dfsg.1-10) into which we imported our old kaserver database some years ago when we got rid of the kaserver. My suspicion is that the problem may be related to the default-keys definition; in kdc.conf under [kadmin] I have: default_keys = v5 des3:pw-salt des:afs3-salt:[cell name] The problem is, users in the data base have different salts depending on when they were created or changed their passwords. The oldest users have: Keytypes: des-cbc-md5(afs3-salt([cell name])), des-cbc-md4(afs3-salt([cell name])), des-cbc-crc(afs3-salt([cell name])) some users from the middle have: Keytypes: des3-cbc-sha1(pw-salt), des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt) and the newest users have: Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt), arcfour-hmac-md5(pw-salt), des3-cbc-sha1(pw-salt), des-cbc-md5(afs3-salt([cell name])), des-cbc-md4(afs3-salt([cell name])), des-cbc-crc(afs3-salt([cell name])) and I'm not sure why the difference exists, other than that the oldest haven't changed their passwords since before we moved to heimdal. Suggestions or explanations welcome! -- Owen Dr. A O V Le Blanc [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]