[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interoperability with MIT client using afs3-salt

To: <heimdal-discuss@sics.se>
Subject: Interoperability with MIT client using afs3-salt
From: Wolfgang Friebel <friebel@ifh.de>
Date: Wed, 26 Jun 2002 18:16:33 +0200 (MEST)
Sender: owner-heimdal-discuss@sics.se

I am unable to get full interoperability with MIT clients (tried 1.2.2
from ReadHat and 1.2.5 compiled myself) when trying to authenticate for
principals that only do have afs3-salted keys:

des-cbc-md5(afs3-salt(cern.ch))
des-cbc-md4(afs3-salt(cern.ch))
des-cbc-crc(afs3-salt(cern.ch))

If I have in addition

des3-cbc-sha1(pw-salt)
des-cbc-md5(pw-salt())
des-cbc-md4(pw-salt())
des-cbc-crc(pw-salt())

then everything works well.

The Heimdal lines in krb5.conf are currently

 default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5

and the MIT ones are

 default_tgs_enctypes = des3-cbc-sha1 des des:afs3
 default_tkt_enctypes = des3-cbc-sha1 des des:afs3

I am getting
kinit(v5): Password incorrect while getting initial credentials
as it probably tries the wrong string to key function.
If I am leaving out des, then the error is

kinit(v5): KDC has no support for encryption type while getting initial
credentials

As I have read that MIT is supporting the afs string to key algorithm,
which part is not working, the MIT client or the Heimdal KDC?

How can I increase the amount of logging within the KDC? I am just seeing
two AS-REQ requests which I also see using tcpdump. Is there some tool to
further analyze the kerberos traffic?

Best regards
Wolfgang Friebel

Prev by Date: Interoperability with MIT client using afs3-salt
Next by Date: New version of PKINIT
Prev by thread: Interoperability with MIT client using afs3-salt
Next by thread: No Subject
Index(es):
- Date
- Thread