Re: Problems with klog

[Love <lha@stacken.kth.se>]

Pär Aronsson <par.aronsson@nohup.se> writes:

> Hello everyone,
> 
> Kalle Svensson has asked some questions about AFS and Heimdal, here is
> one more.
> We have managed to get AFS and Heimdal to accept each other, but klog
> doesn't work. We can get tickets using kinit and afslog on the AFS
> machine. Klist shows the follwing for the afs server:
> Ticket etype: des-cbc-md4, kvno 2
> We need to be able to use klog from the clients. How can we achieve
> that??

You can compile heimdal with ka-server support (--enable-kaserver) and then
run the kdc with the argument -K.

You should make sure you have a afs3 salted key for your principal, set
[kadmin]default_keys to make sure you get one.

A comment in lib/kadm5/set_keys.c describs this pretty good.

    /* for each entry in `default_keys' try to parse it as a sequence
       of etype:salttype:salt, syntax of this if something like:
       [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it
       means everything, and if string is omitted is means the default
       string (for that principal). Additional special values:
       v5 == pw-salt, and
       v4 == pw-salt:
    */

The ka-server will try to get des-afs3 key first.

Note that if you want to make sure that you keys are salted they way you
want them, you'll need to dump the principal with ``kadmin dump'' and read
the output, since you can't see what type of salting there is with ``kadmin
get -l <principal>''. You can also just count the key, and if they are the
same as you expects, they are probably right.

Love