On Thu, 25 Jul 2013, Andrew Deason wrote:
On Thu, 25 Jul 2013 10:57:33 +0200
Lars Schimmer <[email protected]> wrote:
Maybe I am not the best reader, but if I do use a win AD as a krb5
auth service and I did not change anything with my keyfiles and
everything, should OpenAFS 1.7.26 on Windows work as usual?
I didn't have anything to do with the Windows client part of this, but
yes, that's my understanding. For any platform, this release should
behave the same as the previous one if you don't do anything with
changing the keys or enctypes, etc.
I think the issue is actually a little more subtle. Prior to yesterday's
releases, all (*) places that got tokens from a TGT explicitly requested a
single-DES enctype for the session key. In yesterday's releases
(including 1.7.26), these places no longer explicitly request single-DES,
and use a KDF to convert any non-DES session keys to DES keys for use in
the AFS wire protocol. In this new version of things, we rely on the KDC
to only supply a DES session key if the AFS server does not support the
KDF scheme. In principle, this is fine, since the afs service principal's
long-term key must be single-DES for the (old) software to work at all,
and in the absence of other information, the KDC should not assume that a
service supports an enctype for which it has no long-term key.
The short version is: a misconfigured KDC can cause problems for new
clients against old servers.
-Ben
(*) klog.krb5 in 1.4.x did not do so; this was probably just an oversight
long ago
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
