Re: 0.1m: krb4 is krb4, krb5 is krb5, never the twain shall meet?

[Assar Westerlund <assar@sics.se>]

<allbery@kf8nh.apk.net> writes:
> It seems that when krb4 or kaserver principals are hprop'ed over, they
> get keys with krb4 enctypes.  These keys cannot be used by krb5,
> apparently:  while I can still authenticate against heimdal's KDC with
> krb4 utilities (kaserver is as yet untested), I cannot authenticate 
> as one of the transferred principals using heimdal's kinit --- or
> kauth, or hprop, or anything else that want to use krb5-style
> authentication.  Principals added via "kadmin -l" get both krb4 and
> krb5 enctypes, and work properly with both.

This is weird.  I just set up a kaserver to test this and propagated
it over.  Here is how the entries look:

assar@JUGUETE.SICS.SE 0::3:9bdc9bb59bd69ea4:10/"juguete.sics.se"::2:9bdc9bb59bd69ea4:10/"juguete.sics.se"::1:9bdc9bb59bd69ea4:10/"juguete.sics.se" 19990913004516:kadmin/hprop@JUGUETE.SICS.SE - - - - 90000 - 126

         Keytypes(salts): des-cbc-md5(afs3-salt), des-cbc-md4(afs3-salt), des-cbc-crc(afs3-salt)

And I do manage to authenticate with klog, krb4 kinit, and heimdal
kinit.  Can you verify that you get all the keys with the correct salt?

> What would it take to get the transferred keys re-encoded with
> des3-cbc-sha1 as well as with the krb4-compatible enctypes? 

That should not be necessary, krb5 should work just fine with
DES-keys.  Getting 3DES keys would mean changing, or at least
entering, the passwords.

/assar