>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" [EMAIL PROTECTED] >> >> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION. > >I think -randkey causes the salt to be ignored -- I used :afs3 and >a subsequent getprinc says that the principal has no salt.
It's a bit more complicated than that. When you use -randkey, you're creating a random encryption key. Remember that point. What the salt does is provide an extra bit of permutation to the algorithm to convert a password (what humans type) to an encryption key (what Kerberos actually uses). AFS uses one salt algorithm; Kerberos V5 by default uses another. But if you're creating a random encryption key, there is no password that corresponds to that encryption key, so the salt is meaningless; in this case, the Kerberos code is hardcoded to only use the "normal" salt for DES-based enctypes. Now that I think about it, there is probably no reason for this, as it doesn't matter in any case and it just ends up confusing people. To complicate matters further, in MIT Kerberos "no salt" really means "take the default", which means "Use the V5 salt rules" ... and you indicate that by adding ":normal" to the encryption type when you create a key. >Converting to Kerberos V has been a bit frustrating -- you can't just >follow a recipe, you have to use Google and learn quite a bit about >K5 and AFS to work through it all. I'm still learning. You now see why I included so much basic material about AFS and Kerberos 5 in the Migration Kit documentation :-/ --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
