Hi Jeffrey, On Thu, 2011-10-13 at 10:24 -0400, Jeffrey Altman wrote: > The difference in the two cases is that -tmp is requesting a TGT first > whereas without -tmp the [email protected] request is being issued directly. > In the non -tmp case the KDC replies with a ticket encrypted using > aes256-cts-hmac-sha1-96 which is not supported for AFS.
Hmm, but it looks the same on the Heimdal 1.2.1 KDC (where klog.krb5 works without problems). For completeness here the log of the 1.2.1 KDC when the client issues 'klog.krb5': Oct 13 16:27:24 hekate kdc[9671]: AS-REQ [email protected] from IPv4:141.34.2.11 for afs/[email protected] Oct 13 16:27:24 hekate kdc[9671]: UNKNOWN -- afs/[email protected]: No such entry in the database Oct 13 16:27:24 hekate kdc[9671]: sending 112 bytes to IPv4:141.34.2.11 Oct 13 16:27:24 hekate kdc[9671]: AS-REQ [email protected] from IPv4:141.34.2.11 for [email protected] Oct 13 16:27:24 hekate kdc[9671]: Client sent patypes: 149 Oct 13 16:27:24 hekate kdc[9671]: Looking for PKINIT pa-data -- [email protected] Oct 13 16:27:24 hekate kdc[9671]: Looking for ENC-TS pa-data -- [email protected] Oct 13 16:27:24 hekate kdc[9671]: No preauth found, returning PREAUTH-REQUIRED -- [email protected] Oct 13 16:27:24 hekate kdc[9671]: sending 307 bytes to IPv4:141.34.2.11 Oct 13 16:27:26 hekate kdc[9671]: AS-REQ [email protected] from IPv4:141.34.2.11 for [email protected] Oct 13 16:27:26 hekate kdc[9671]: Client sent patypes: encrypted-timestamp, 149 Oct 13 16:27:26 hekate kdc[9671]: Looking for PKINIT pa-data -- [email protected] Oct 13 16:27:26 hekate kdc[9671]: Looking for ENC-TS pa-data -- [email protected] Oct 13 16:27:26 hekate kdc[9671]: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96 Oct 13 16:27:26 hekate kdc[9671]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4 Oct 13 16:27:26 hekate kdc[9671]: Using aes256-cts-hmac-sha1-96/des-cbc-md5 Oct 13 16:27:26 hekate kdc[9671]: Requested flags: renewable, forwardable Oct 13 16:27:26 hekate kdc[9671]: AS-REQ authtime: 2011-10-13T16:27:26 starttime: unset endtime: 2011-10-14T17:27:24 renew till: 2011-11-12T15:27:24 Oct 13 16:27:26 hekate kdc[9671]: sending 631 bytes to IPv4:141.34.2.11 The encryption types sent out to the client are the same (aes256-cts-hmac-sha1-96/des-cbc-md5), aren't they? > This could be either a bug in klog.krb5 or in Heimdal. I haven't looked > at any code yet. In the non -tmp case either klog.krb5 is not > requesting des-cbc-crc or Heimdal is forgetting that request when > responding to the pre-auth request. Thanks, Andreas -- | Andreas Haupt | E-Mail: [email protected] | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
