Updating encryption types

Phil Dibowitz phil at usc.edu
Thu Jul 7 20:30:07 EDT 2005 

On Thu, Jul 07, 2005 at 02:22:59PM -0700, Phil Dibowitz wrote:
> On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote:
> > My guess is that your krbtgt/ISD.ISC.EDU at ISD.USC.EDU principal still
> > only has a des key.  'cpw -randkey -keepold' on that principal to
> > generate other keys.
> 
> Nice. That works. I didn't realize that had to be updated. Which leaves me
> with a few more questions:
> 
> 1. What's the difference between the principals krbtgt at ISD.USC.EDU and
> krbtgt/ISD.USC.EDU at ISD.USC.EDU ? They both exist, but krbtgt/ISD.USC.EDU seems
> to be the ACTUAL ticket granting principal, while krbtgt at ISD.USC.EDU has the
> DISALLOW_ALL_TIX attribute. 

OK, so going back, I find that

krbtgt/ISD.USC.EDU at ISD.USC.EDU is for crossrealm trust.
krbtgt at ISD.USC.EDU was our original tgt.

However, now all tickets seem to be coming from
krbtgt/ISD.USC.EDU at ISD.USC.EDU. Now the person who setup
krbtgt/ISD.USC.EDU at ISD.USC.EDU and the cross-realm trust was 2 admins ago -
did they make a mistake, or is this a bug in kerb, or is this expected
behavior?

In other words, my klist looks like this:

[phil at frantic phil]$ klist
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil at ISD.USC.EDU

Valid starting     Expires            Service principal
07/07/05 14:34:25  07/08/05 00:34:23  krbtgt/ISD.USC.EDU at ISD.USC.EDU
[phil at frantic phil]$ 


But I would think it SHOULD look like this:

[phil at frantic phil]$ klist
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil at ISD.USC.EDU

Valid starting     Expires            Service principal
07/07/05 14:34:25  07/08/05 00:34:23  krbtgt at ISD.USC.EDU
[phil at frantic phil]$ 

I get the eerie feeling that this is due to a misconfiguration of our
cross-realm trust...

Hmmm.

-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050707/30ee50e4/attachment.bin

More information about the Kerberos mailing list