[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: more q's on multiple salted keys kaserver and afs



On Mon, 17 Jul 2000, Miroslav Ruda wrote:

> Leif Johansson wrote:
> > Well, I set up my NT box and rolled in Tramsarc NT client version 3.6 but
> > was unable to get tickets even after applying the patch which started this 
> > thread. I set up my default_keys with v5 v4 and afs3-salt:<my cell> and 
> > made a new principal for myself and verified using get --long that it did 
> > indeed receive a set of afs3-salted keys.
> 
> Similar observation here - we are running Heimdal KDC without mentioned patch. 
> Users having v4 salt are able to get tokens with Transarc unix klog, heimdal 
> kauth and Transarc NT klog client (ver. 3.4 and 3.5). Users having v5 salted
> key are not able to get tokens with Transarc NT klog.
> 
> V4 salted keys are converted from v4 kth-krb kdc. V5 salted keys are new keys 
> or keys with changed password. There is possibilty to disable usage of 
> v5 salts ([kadmin] use_v4_salt = yes in kdc.conf) but we prefer to use 
> v5 salted keys (to be able to use Windows 2000 as clients with
> preauthentication). 
>
> I would sugest to patch kdc to support both v4 and v5 salt for des key.

The current stuff in CVS is so patched; Right now we have things set up to
use v4 and v5 salted keys as we long ago converted out AFS infrastructure
to use v4 salt instead of AFS. 

-D