Re: [OpenAFS] Kerberos5 and afs

[Steve Devine]

Russ Allbery wrote:
Steve Devine <[EMAIL PROTECTED]> writes:
  
Forgive the slightly off topic post but I think it applies here as well
on the kerberos list Several years ago we moved to MIT kerberos 5. At
the time I set the master key in the kdc.conf to:
    

  
master_key_type = des-cbc-crc
    

  
I did this to allow transfer of principals from our old kaserver to the
new kdc.
    

  
Now we are trying to get Windows 2003 AD to auth against our Kerberos
server and it seems that it will not work with our kdc as it is
configured.  My question is am I screwed here or just missing something
easy?  I have tried multiple allowed enctypes and still no luck.
    

  
If I build a kdc without specifying a master key it seems to work.
Have any others done this same thing?
    

The master key type doesn't matter at all for cross-realm trust.  The only
thing the master key is used for is encrypting the KDC database on disk.
It is never seen on the wire and no clients of Kerberos are even aware
that it exists.
  
Ok thats a huge relief.
What matters for cross-realm trust is the enctypes on the cross-realm
krbtgt keys, which must match in both environments (along with the key and
the kvno) and must be of an enctype supported in both environments.  Most
sites these days use rc4-hmac as the cross-realm key type since it's
stronger than DES and supported by both Windows and MIT Kerberos.  If
you're running the latest and greatest Windows AD, you can use AES, but
that's pretty bleeding edge still and most people haven't upgraded that
far yet.

Most cross-realm trust problems with Windows end up being problems with
getting the key and kvno synchronized between the environment or having
extra stray enctypes on the MIT end that Windows doesn't support.

  
Does the order of the enctypes listed in the kdc affect this?
This is my current kdc.conf entry:
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des-cbc-crc:v4 des-cbc-crc:afs3
I'm not sure how to manipulate the kvno on the AD
Thanks
/sd



--
Steve Devine
Storage Systems
Academic Computing & Network Services
Michigan State University

506 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327

Baseball is ninety percent mental; the other half is physical.
- Yogi Berra

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info