[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Interoperability with MIT client using afs3-salt
I am unable to get full interoperability with MIT clients (tried 1.2.2
from ReadHat and 1.2.5 compiled myself) when trying to authenticate for
principals that only do have afs3-salted keys:
des-cbc-md5(afs3-salt(cern.ch))
des-cbc-md4(afs3-salt(cern.ch))
des-cbc-crc(afs3-salt(cern.ch))
If I have in addition
des3-cbc-sha1(pw-salt)
des-cbc-md5(pw-salt())
des-cbc-md4(pw-salt())
des-cbc-crc(pw-salt())
then everything works well.
The Heimdal lines in krb5.conf are currently
default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5
and the MIT ones are
default_tgs_enctypes = des3-cbc-sha1 des des:afs3
default_tkt_enctypes = des3-cbc-sha1 des des:afs3
I am getting
kinit(v5): Password incorrect while getting initial credentials
as it probably tries the wrong string to key function.
If I am leaving out des, then the error is
kinit(v5): KDC has no support for encryption type while getting initial
credentials
As I have read that MIT is supporting the afs string to key algorithm,
which part is not working, the MIT client or the Heimdal KDC?
How can I increase the amount of logging within the KDC? I am just seeing
two AS-REQ requests which I also see using tcpdump. Is there some tool to
further analyze the kerberos traffic?
Best regards
Wolfgang Friebel