>> Could changing realm names be another possibility? Jeff, are you >> using the same realm name in your KDC as in the kaserver?
Just as a side note: that is definately not the problem here. This is evident by the KDC log message mentioning "DECRYPT_CLIENT_KEY" - that can only occur if the principal keys are encrypted incorrectly. The confusing part is that "Decrypt integrity check failed" is passed back to the client and it interprets it as "Password incorrect", which is confusing. >Yes, the K/M principal is single and triple DES'd. > >How does one go about deleting one of K/M's keys in DB >without shooting oneself in the foot? Short answer: you don't. There is currently not a good way to change the enctype of the master key (you can _change_ the key, but it has to have the same enctype). Just deleting the triple-DES key isn't good enough, as your existing keys will then not be able to be decrypted. This may have changed more recently, so I could be wrong. I tried to change my master key enctype once, but it was used in enough places that it was very hard, so I gave up. I think your easiest solution is to fix afs2k5db so it works with different master key enctypes. Like I said, IN THEORY this should be simple. Second easiest: redo your realm with only a single-DES key (it all depends on your realm setup as to which one you find easier). --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
