[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interoperability with MIT client using afs3-salt

I am unable to get full interoperability with MIT clients (tried 1.2.2
from ReadHat and 1.2.5 compiled myself) when trying to authenticate for
principals that only do have afs3-salted keys:


If I have in addition


then everything works well.

The Heimdal lines in krb5.conf are currently

 default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5

and the MIT ones are

 default_tgs_enctypes = des3-cbc-sha1 des des:afs3
 default_tkt_enctypes = des3-cbc-sha1 des des:afs3

I am getting
kinit(v5): Password incorrect while getting initial credentials
as it probably tries the wrong string to key function.
If I am leaving out des, then the error is

kinit(v5): KDC has no support for encryption type while getting initial

As I have read that MIT is supporting the afs string to key algorithm,
which part is not working, the MIT client or the Heimdal KDC?

How can I increase the amount of logging within the KDC? I am just seeing
two AS-REQ requests which I also see using tcpdump. Is there some tool to
further analyze the kerberos traffic?

Best regards
Wolfgang Friebel