Russ Allbery wrote:
Steve Devine <[EMAIL PROTECTED]> writes:
Does the order of the enctypes listed in the kdc affect this?
In my experience, the enctype list should match exactly. It doesn't
matter what order you list the enctypes in; if you have enctypes on the
krbtgt key that aren't present in Windows, you may lose. So, in this
case:
This is my current kdc.conf entry:
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
you need to explicitly specify -e des-cbc-crc:normal when creating the
krbtgt cross-realm keys. Otherwise you'll get a des3 key in your KDC and
since Windows doesn't support des3, you'll lose.
Ok that was it .. thanks to all. I hate to say how much time I spent on
this.
I am going to continue testing on this and I may post my results when I
have something more coherent.
Thanks again.
/sd
Also, if you're entering a password to create this key, be very careful of
the salting algorithm. I think that you'll need to fix that on the
Windows side, since IIRC MIT Kerberos can't do the Windows salt but
Windows can do the MIT salt (if configured correctly), but it's been a
long time and I'm forgetting the details.
I'm not sure how to manipulate the kvno on the AD
It depends on the version of Windows. Sometimes you can't at all. And
regardless, since on the MIT side you can just use modprinc -kvno, it's
way easier to make the MIT side match Windows than vice versa.
--
Steve Devine
Storage Systems
Academic Computing & Network Services
Michigan State University
506 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327
Baseball is ninety percent mental; the other half is physical.
- Yogi Berra
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
