[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.1m: krb4 is krb4, krb5 is krb5, never the twain shall meet?

>It seems that when krb4 or kaserver principals are hprop'ed over, they
>get keys with krb4 enctypes.  These keys cannot be used by krb5,
>apparently:  while I can still authenticate against heimdal's KDC with
>krb4 utilities (kaserver is as yet untested), I cannot authenticate 
>as one of the transferred principals using heimdal's kinit --- or
>kauth, or hprop, or anything else that want to use krb5-style
>authentication.  Principals added via "kadmin -l" get both krb4 and
>krb5 enctypes, and work properly with both.

While I'll confess to having not that much experiences with Heimdal, do
you really have V4 keys in your database, or do you have AFS-salted keys?

>What would it take to get the transferred keys re-encoded with
>des3-cbc-sha1 as well as with the krb4-compatible enctypes? 

It's impossible to derive one key from another, (well, "computationally
infeasable") since you need the original plaintext password to run
through the des3 stringtokey algorithm.