>I must say it's quite a suprise that Windows can allow you this >flexibility but MIT Kerberos doesn't. Is it really impossible with MIT >Kerberos?
With the supplied tools, yes. In theory, you could write code to do it. The real problem is that your keys are "salted" with the complete principal name (the salt is one of the inputs to the algorithm that turns a password into the actual encryption key Kerberos uses). There is a provision for an "alternate" salt ... you could write code to transform the database, and in the process store alternate salts for each key. This assumes that all of your clients support alternate salts. I believe Windows manages this by storing the actual plaintext passwords, and thus can simply generate new keys from the passwords with the correct salt. If you have a regular password expiration policy, you could "cheat" a bit and store the plaintext passwords. Or even better, during the password change you could store the "correct" salt. Either one of these solutions requires writing some code ... and a password expiration policy. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
