more ldap concerns

Will Fiveash William.Fiveash at sun.com
Wed Jun 7 19:08:07 EDT 2006 

On Wed, Jun 07, 2006 at 05:39:27PM -0500, Will Fiveash wrote:
> 
> (more enctype issues...)
> 
> After running:
> 
> kdb5_ldap_util -D "cn=directory manager" -w my_password create -P my_password -subtree "dc=south,dc=sun,dc=com"
> 
> then:
> 
> $ ./kadmin.local -q 'getprinc krbtgt/ACME.COM'
> Authenticating as principal willf/admin at ACME.COM with password.
> Principal: krbtgt/ACME.COM at ACME.COM
> Expiration date: [never]
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Tue Jun 06 16:53:52 CDT 2006 (cn=directory manager at ACME.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>             ???????????????????????????????????????????
> Attributes:
> Policy: [none]
> 
> This was using the defaults for enctypes (no enctype parameters were
> specified in the k*.conf or kdb5_ldap_util).  I'm bothered by the fact
> that krbtgt only has a DES3 key.  The db2 krbtgt princ created using
> defaults had 2 keys (des3 and des-cbc-crc).  Even this seems weird to
> me.  By default Solaris creates a krbtgt princ with keys for all
> supported enctypes on the KDC.  Why isn't this the case with the MIT
> code?

and when I do:

kadmin.local -q 'cpw -randkey krbtgt/ACME.COM'
kadmin.local -q 'cpw -randkey krbtgt/ACME.COM'

I see:

kadmin.local -q 'getprinc krbtgt/ACME.COM'    
Authenticating as principal willf/admin at ACME.COM with password.
Principal: krbtgt/ACME.COM at ACME.COM
Expiration date: [never]
Last password change: Wed Jun 07 18:05:56 CDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jun 07 18:05:56 CDT 2006 (cn=directory manager at ACME.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

Why are the old keys still around?

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list