Windows with Krb5

Kevin Rowland krowland@nd.edu
Thu, 14 Jun 2001 18:35:48 -0500 

Jeffrey Hutzelman wrote:
> 
> On Thu, 14 Jun 2001, Kevin Rowland wrote:
> 
> > > <...snip...>
> > > To work around this, configure NT clients
> > > to believe that your KDC's are AFS database servers.  These extra
> > > "database servers" will be used for Kerberos authentication, and then
> > > timed out as vlservers fairly quickly.  This setup has worked well for us
> > > in production more or less since the NT client was released.
> >
> > I believe this works for you because you (UMICH) inserted code into
> > kerberos_v4.c that searches for an afs3 salted key *before* a v4 style
> > in response to a K4 request. This situation, otherwise, would not work
> > (as it didn't for us -- which is what prompted me to try switching the
> > keysalt list order). Am I missing something? Looks like I need to
> > revisit the kerb_get_principal() code and incorporate that in to see if
> > we can make both the AFS-NT client *and* Win2K clients happy...
> 
> I'm CMU, not UMICH.  In any event, our Kerberos database doesn't have any

:-) sorry 'bout that. I had UMICH on the brain as I was looking at their
code diffs (that they graciously sent me) at the time...

> afs-salted keys.  IIRC, the KDC code already prefers v4-salted keys to
> keys with the default salt when answering V4 requests.  Since AFS has been
> able to handle v4-salted keys since at least 3.3a, this should not be a
> problem.

I hadn't even thought about using the v4 salted keys instead of the afs3
style... In our testing we used this in our kdc.conf:

   supported_enctypes = des-cbc-crc:normal des-cbc-crc:afs3

I then switched the order to get the AFS-NT client to work (although I'm
confused as to why it didn't -- perhaps the afs client doesn't support
no-salt???)

Now, I've changed the kdc.conf to include these lines:

   supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
   kdc_supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3

Now the NT AFS client works (I assume that it tries using a v4
string-to-key *after* failing with the afs3 string-to-key). The code
that is already present in the KDC *does* prefer the v4 salt to no-salt.
My problem before was that I had no v4 salted keys to send back. Also,
now the Win2K machines receive the standard des-cbc-crc:normal key/salt
(I believe 'normal' is basically no-salt).

Thank you for the info!!!

-- kevin

/-------------------------------------------------------------------\
| Kevin Rowland                          Phone:   (219)631-4745     |
| Sr. Systems Engineer                   Email: krowland@nd.edu     |
| Office of Information Technology       G208 Hesburgh Library      |
| University of Notre Dame               Notre Dame, IN   46556     |
\-------------------------------------------------------------------/