[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.1m: krb4 is krb4, krb5 is krb5, never the twain shall meet?

On 13 Sep, Assar Westerlund wrote:
|  <allbery@kf8nh.apk.net> writes:
|  > Not true.  Enctypes, according to the code, are e.g. "des-cbc-crc"; the
|  > problem is that krb5 authentication doesn't work unless there is a
|  > (krb5-specific) des3-cbc-sha1 key defined.
|  That should not be the case and I know of people running Heimdal with
|  just DES keys so something else is rotten in the state of Denmark.

Hm.  I was getting AFS and krb4 authentication fine, but krb5 kinit
gave "Password incorrect" for all the transferred principals I tested.
If I created a new principal, it worked fine for all three
authentication variants.

|  > The krb5 auth code appears to try the default salt first, then the AFS
|  > salt.
|  The KDC does send back the salt information, including the type and
|  the salt-string.

I know, but I saw an extra attempt with a forced salt --- I think it
was the AFS salt, but I'm not absolutely certain --- in the code I
traced through while trying to figure this out.

brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.