[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

import from kaserver: passwords work, keytabs don't

I don't know if this is because I did something wrong or because heimdal
isn't quite there yet, or if this is a legitimate bug.

I've been experimenting with heimdal, and recently have been using hprop to
import entries from ece.cmu.edu's kaserver.DB0 into my test KDC.  The result
of this is somewhat interesting:  I can kinit fine with a password, but
not with a keytab.  The same operation worked fine when using MIT Kerberos 5
with the NRL patches and afs2k5db.

(This first showed up when I added kadmin.hprop with kas and imported it,
instead of manually adding it to the KDC with kadmin -l.  I couldn't repeat
the hprop, "Additional pre-aithentication required".  The same error shows up
when using a keytab to kinit.)

As far as I can tell, the difference is that it works if the principal has a
des3 key (as opposed to des key with AFS salt, as imported from the kaserver).

So, is this a deficiency, an outright bug, or did I manage to miss something
(but the only difference from the successful attempts is that kadmin/hprop
is now imported from the kaserver)?

brandon s. allbery	[os/2][linux][solaris][japh]	 allbery@kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery@ece.cmu.edu
electrical and computer engineering					 KF8NH
carnegie mellon university	      ["God, root, what is difference?" -Pitr]