Updating encryption types

Phil Dibowitz phil at usc.edu
Thu Jul 7 20:46:18 EDT 2005


On Thu, Jul 07, 2005 at 05:30:07PM -0700, Phil Dibowitz wrote:
> On Thu, Jul 07, 2005 at 02:22:59PM -0700, Phil Dibowitz wrote:
> > On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote:
> > > My guess is that your krbtgt/ISD.ISC.EDU at ISD.USC.EDU principal still
> > > only has a des key.  'cpw -randkey -keepold' on that principal to
> > > generate other keys.
> > 
> > Nice. That works. I didn't realize that had to be updated. Which leaves me
> > with a few more questions:
> > 
> > 1. What's the difference between the principals krbtgt at ISD.USC.EDU and
> > krbtgt/ISD.USC.EDU at ISD.USC.EDU ? They both exist, but krbtgt/ISD.USC.EDU seems
> > to be the ACTUAL ticket granting principal, while krbtgt at ISD.USC.EDU has the
> > DISALLOW_ALL_TIX attribute. 
> 
> OK, so going back, I find that
> 
> krbtgt/ISD.USC.EDU at ISD.USC.EDU is for crossrealm trust.
> krbtgt at ISD.USC.EDU was our original tgt.

Oh, I typoed. Which made me realize there's another issue. The cross-realm
princ is:

krbtgt/ICS.USC.EDU at ISD.USC.EDU

and the right tgt (based on Kerberos by Brian Tung), doesn't seem to be doing
anything:

krbtgt at ISD.USC.EDU

and the mystery ticket is doing everything:

krbtgt/ISD.USC.EDU at ISD.USC.EDU

Now I'm quite confused. Any thoughts would be appreciated.

-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050707/8480f3ed/attachment.bin


More information about the Kerberos mailing list