[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 0.1m: krb4 is krb4, krb5 is krb5, never the twain shall meet?
> It seems that when krb4 or kaserver principals are hprop'ed over, they
> get keys with krb4 enctypes. These keys cannot be used by krb5,
> apparently: while I can still authenticate against heimdal's KDC with
> krb4 utilities (kaserver is as yet untested), I cannot authenticate
> as one of the transferred principals using heimdal's kinit --- or
> kauth, or hprop, or anything else that want to use krb5-style
> authentication. Principals added via "kadmin -l" get both krb4 and
> krb5 enctypes, and work properly with both.
This is weird. I just set up a kaserver to test this and propagated
it over. Here is how the entries look:
assar@JUGUETE.SICS.SE 0::3:9bdc9bb59bd69ea4:10/"juguete.sics.se"::2:9bdc9bb59bd69ea4:10/"juguete.sics.se"::1:9bdc9bb59bd69ea4:10/"juguete.sics.se" 19990913004516:kadmin/hprop@JUGUETE.SICS.SE - - - - 90000 - 126
Keytypes(salts): des-cbc-md5(afs3-salt), des-cbc-md4(afs3-salt), des-cbc-crc(afs3-salt)
And I do manage to authenticate with klog, krb4 kinit, and heimdal
kinit. Can you verify that you get all the keys with the correct salt?
> What would it take to get the transferred keys re-encoded with
> des3-cbc-sha1 as well as with the krb4-compatible enctypes?
That should not be necessary, krb5 should work just fine with
DES-keys. Getting 3DES keys would mean changing, or at least
entering, the passwords.