[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MIT & Heimdal playing together?




On Oct 6, 2004, at 3:37 PM, ms419@freezone.co.uk wrote:

> I suspect the problem is that the KDCs use different encryption types.  
> Our MIT KDC uses des3-hmac-sha1:
>
> kdc.conf: master_key_type = des3-hmac-sha1
>
> While I guess our Heimdal KDC uses des-cbc-crc:
>
> kdc.conf: #master_key_type = des-cbc-crc
>
> I found this lone message concerning transferring Kerberos databases  
> from MIT to Heimdal:  
> http://www.stacken.kth.se/lists/heimdal-discuss/2001-10/msg00049.html
>
> However I haven't succeeded in re-keying our database. I thought I  
> need to create a new des-cbc-crc master key with which to re-key our  
> database, but kdb5_util stash doesn't allow this.
>
> Has anyone here any suggestions? Or should I ask on the MIT list?

Is there an MIT option to do the dump in decrypted form?  That might be  
something to ask on the MIT kerberos list if you can't find one.  Then  
you just let Heimdal re-encrypt it.  No need to transfer master keys at  
all.

On Heimdal the master key file is just a normal keytab.  You can use  
all the normal tools to create it with the right kvno/enctype to match  
your old MIT key.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu