I've been testing krb5-1.2.5 in preparation for an upgrade of my KDC from 1.2.1 and I noticed something interesting.
It seems that I get a preauth failure when I try to get credentials for a principal whose key was created on our old V4 KDC (several years ago). (All my principals are set with REQUIRES_PREAUTH). The key looks like this: Key: vno xx, DES cbc mode with CRC-32, Version 4 If I change the password (to the same value), thereby generating a set of keys that looks like this: Key: vno xx, DES cbc mode with CRC-32, no salt Key: vno xx, DES cbc mode with RSA-MD5, Version 4 Key: vno xx, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno xx, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno xx, DES cbc mode with RSA-MD5, AFS version 3 the problem goes away. (I masked out the vno, so as not to confuse the issue. The second set of keys is for a different user than the first; I had already changed the password of the first user and don't have its old key versions available). My kdc.conf, which I copied from my V1.2.1 KDC (where this problem didn't occur), contains the following 'supported_enctypes': des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:v4 I was under the impression that 'des-cbc-crc:normal' and 'des-cbc-crc:v4' were all that are necessary to support the old keys. I don't think I have too many principals with old V4 keys, but I'm wondering if there's anything I can do to fix this in way that is transparent to users. Thanks. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
