[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interoperability with MIT client using afs3-salt



I am unable to get full interoperability with MIT clients (tried 1.2.2 
from ReadHat and 1.2.5 compiled myself) when trying to authenticate for 
principals that only do have afs3-salted keys:

des-cbc-md5(afs3-salt(cern.ch))
des-cbc-md4(afs3-salt(cern.ch)) 
des-cbc-crc(afs3-salt(cern.ch))

If I have in addition 

des3-cbc-sha1(pw-salt)
des-cbc-md5(pw-salt())
des-cbc-md4(pw-salt()) 
des-cbc-crc(pw-salt())

then everything works well.

The Heimdal lines in krb5.conf are currently

 default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5

and the MIT ones are

 default_tgs_enctypes = des3-cbc-sha1 des des:afs3
 default_tkt_enctypes = des3-cbc-sha1 des des:afs3

I am getting
kinit(v5): Password incorrect while getting initial credentials
as it probably tries the wrong string to key function.
If I am leaving out des, then the error is

kinit(v5): KDC has no support for encryption type while getting initial credentials

As I have read that MIT is supporting the afs string to key algorithm, 
which part is not working, the MIT client or the Heimdal KDC?

How can I increase the amount of logging within the KDC? I am just seeing 
two AS-REQ requests which I also see using tcpdump. Is there some tool to 
further analyze the kerberos traffic?

Best regards
Wolfgang Friebel