random to key from password
Russ Allbery
rra at stanford.edu
Mon Sep 27 18:49:15 EDT 2010
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> On Mon, Sep 27, 2010 at 03:20:38PM -0700, Russ Allbery wrote:
>> The problem wasn't that not all clients support PA-ENC-TIMESTAMP. The
>> problem is that if you don't mark a principal as requiring pre-auth, no
>> pre-auth will be done, even if the client supports it. Therefore, if
>> you set a service principal as requiring pre-auth before setting all
>> principals authenticating to that service principal as requiring
>> pre-auth (and waiting for existing ticket caches to expire),
>> authentications suddenly start failing.
> Well, it helps to create all new user principals are requiring pre-auth,
> set all clients' krb5.conf to use pre-auth, and then between attrition
> and periodic mini-flag days for users on vacation... you'll get to where
> you can use the big hammer on the KDC.
This still doesn't work: previously created service principals then can't
authenticate to any new service created after one started setting pre-auth
by default.
We really did try this, and I don't think there's any way to do the
transition when the two flags have mingled meaning without working out the
dependency order of all of one's service principals.
User principals aren't the problem. All our user principals have had
pre-auth required for as long as we've been running Kerberos v5.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list