Windows with Krb5
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 14 Jun 2001 17:50:56 -0400 (EDT)
On Thu, 14 Jun 2001, Kevin Rowland wrote:
> > <...snip...>
> > To work around this, configure NT clients
> > to believe that your KDC's are AFS database servers. These extra
> > "database servers" will be used for Kerberos authentication, and then
> > timed out as vlservers fairly quickly. This setup has worked well for us
> > in production more or less since the NT client was released.
>
> I believe this works for you because you (UMICH) inserted code into
> kerberos_v4.c that searches for an afs3 salted key *before* a v4 style
> in response to a K4 request. This situation, otherwise, would not work
> (as it didn't for us -- which is what prompted me to try switching the
> keysalt list order). Am I missing something? Looks like I need to
> revisit the kerb_get_principal() code and incorporate that in to see if
> we can make both the AFS-NT client *and* Win2K clients happy...
I'm CMU, not UMICH. In any event, our Kerberos database doesn't have any
afs-salted keys. IIRC, the KDC code already prefers v4-salted keys to
keys with the default salt when answering V4 requests. Since AFS has been
able to handle v4-salted keys since at least 3.3a, this should not be a
problem.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA