more ldap concerns
Will Fiveash
William.Fiveash at sun.com
Wed Jun 7 19:08:07 EDT 2006
On Wed, Jun 07, 2006 at 05:39:27PM -0500, Will Fiveash wrote:
>
> (more enctype issues...)
>
> After running:
>
> kdb5_ldap_util -D "cn=directory manager" -w my_password create -P my_password -subtree "dc=south,dc=sun,dc=com"
>
> then:
>
> $ ./kadmin.local -q 'getprinc krbtgt/ACME.COM'
> Authenticating as principal willf/admin at ACME.COM with password.
> Principal: krbtgt/ACME.COM at ACME.COM
> Expiration date: [never]
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Tue Jun 06 16:53:52 CDT 2006 (cn=directory manager at ACME.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> ???????????????????????????????????????????
> Attributes:
> Policy: [none]
>
> This was using the defaults for enctypes (no enctype parameters were
> specified in the k*.conf or kdb5_ldap_util). I'm bothered by the fact
> that krbtgt only has a DES3 key. The db2 krbtgt princ created using
> defaults had 2 keys (des3 and des-cbc-crc). Even this seems weird to
> me. By default Solaris creates a krbtgt princ with keys for all
> supported enctypes on the KDC. Why isn't this the case with the MIT
> code?
and when I do:
kadmin.local -q 'cpw -randkey krbtgt/ACME.COM'
kadmin.local -q 'cpw -randkey krbtgt/ACME.COM'
I see:
kadmin.local -q 'getprinc krbtgt/ACME.COM'
Authenticating as principal willf/admin at ACME.COM with password.
Principal: krbtgt/ACME.COM at ACME.COM
Expiration date: [never]
Last password change: Wed Jun 07 18:05:56 CDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jun 07 18:05:56 CDT 2006 (cn=directory manager at ACME.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
Why are the old keys still around?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list