afs to k5 conversion keytypes

sdevine@msu.edu sdevine at msu.edu
Thu Feb 17 10:55:07 EST 2005 

All;
We are in the process of converting our afs database (kaserver)  to MIT
Kerberos 5
We have used Ken Hornstein's tool kit to get to where we are now.
We are finding however that many of the services that want to use K5
(Windows AD for example) will not succeed against the single des key
(des-cbc-crc)
we had to use as master when converting the kaserver.
########################
Sample converted afs user who has NOT changed their password:
##########################
kadmin.local:  getprinc xxxxxx
Principal: xxxxx at MSU.EDU
Expiration date: Wed Dec 30 19:00:00 EST 2037
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Dec 10 16:20:42 EST 2004 (Rsad/admin at MSU.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
##############

If a user changed their password in the kdc after they have been
converted then they will have the extra keys associated with their
principal and then they are ok.
############################
SAMPLE Converted afs user who HAS changed their password:
#############################
kadmin.local:  getprinc xxxx
Principal: xxxx at MSU.EDU
Expiration date: Wed Dec 30 19:00:00 EST 2037
Last password change: Thu Feb 17 09:45:37 EST 2005
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Feb 17 09:45:37 EST 2005 (sad2/admin at MSU.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 7, DES cbc mode with CRC-32, no salt
Key: vno 7, DES cbc mode with CRC-32, Version 4
Key: vno 7, DES cbc mode with CRC-32, AFS version 3
Attributes:
########################

So here is my question. Is there a way to get the extra keys in place
during the conversion? Or can I dump the database and reload it somehow
and get what I want?
Otherwise do I have to make 40,000 plus users connect and reset their
passwords?

Thanks in advance for your help.
Steve Devine
Michigan State University

More information about the Kerberos mailing list