Windows with Krb5

Kevin Rowland
Tue, 24 Apr 2001 08:55:42 -0500

The NT client doesn't use fakeka for it's authentication. It uses
udp/750 (standard K4). Because of that, the first enctype that is stored
in the KDC for a user is the one that will be used (I think). What we
did was make sure the our kdc.conf listed the 'des-cbc-crc:afs3' enctype
first. This seemed to satisfy the NT clients. UMICH has made some
modifications to the K4 libraries to make them act more like a kaServer,
but since we have no K4 salted keys (only afs3 style) besides the K5
keys in the KDC, we just ordered them with afs3 at the top.

Question: Does anyone see that as being a problem? So far everything
seems fine in our testing. Since K5 allows for the client to specify
which enctype it supports, the issue seemed to only affect K4 style

-- kevin

| Kevin Rowland                          Phone:   (219)631-4745     |
| Sr. Systems Engineer                   Email:     |
| Office of Information Technology       G208 Hesburgh Library      |
| University of Notre Dame               Notre Dame, IN   46556     |

Elmar Abeln wrote:
> Has anyone successfully used the Windows AFS client in an AFS cell with Ken
> Hornstein's NRL AFS-Kerberos5 migration kit (which allow you to run a
> normal Krb5 server, storing afs3, krb5, and krb4 keys)?  We've successfully
> used it with unix clients (using aklog to obtain AFS tokens from krb5
> tickets) and have preserved the ability for users from foreign cells to
> authenticate to our servers by running "fakeka", which decodes just enough
> of the RX packet to forward the authentication request to the krb5 server.
> So far so good... but the Windows AFS client has looked more attractive to
> us lately and we cannot get it to work with our modified setup...
> I can browse AFS filespace unauthenticated just fine.  I can
> successfully obtain tokens for an unmodified AFS.
> But authenticating to the KDC Server i got at first the error
> The AFS Client was unable to obtain tokens as x30 in cell
> Error: 37 (unknown authentication error 37).
> This was an result of bad skewed times on Win and Kdc-Server (sol 7)
> But after correctin this problem i got an expired token (!) with
> expiration time 11:41:00 12/12/17 (!!!).
> Has anyone an idea ?
> Thank for help.
> Elmar
> ------------------------------------------------------------------------
> Dr. Elmar Abeln              email: Elmar.Abeln@URZ.Uni-Heidelberg.DE
> Universitaetsrechenzentrum
> Im Neuenheimer Feld 293      phone: +49 (6221) 54 4513
> D 69120 Heidelberg           fax:   +49 (6221) 54 5581
> ---------------------------------------------------------------------------