[24245] in Kerberos
Re: Updating encryption types
daemon@ATHENA.MIT.EDU (Phil Dibowitz)
Thu Jul 7 20:30:48 2005
Date: Thu, 7 Jul 2005 17:30:07 -0700
From: Phil Dibowitz <phil@usc.edu>
To: Kevin Coffman <kwc@citi.umich.edu>, kerberos@mit.edu,
Toan Nguyen <toan@usc.edu>
Message-ID: <20050708003007.GY8907@usc.edu>
Mail-Followup-To: Kevin Coffman <kwc@citi.umich.edu>, kerberos@mit.edu,
Toan Nguyen <toan@usc.edu>
Mime-Version: 1.0
In-Reply-To: <20050707212259.GK8907@usc.edu>
Content-Type: multipart/mixed; boundary="===============60445140235259531=="
Errors-To: kerberos-bounces@mit.edu
--===============60445140235259531==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Y46NoIcKQuicSz3X"
Content-Disposition: inline
--Y46NoIcKQuicSz3X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Jul 07, 2005 at 02:22:59PM -0700, Phil Dibowitz wrote:
> On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote:
> > My guess is that your krbtgt/ISD.ISC.EDU@ISD.USC.EDU principal still
> > only has a des key. 'cpw -randkey -keepold' on that principal to
> > generate other keys.
>=20
> Nice. That works. I didn't realize that had to be updated. Which leaves me
> with a few more questions:
>=20
> 1. What's the difference between the principals krbtgt@ISD.USC.EDU and
> krbtgt/ISD.USC.EDU@ISD.USC.EDU ? They both exist, but krbtgt/ISD.USC.EDU =
seems
> to be the ACTUAL ticket granting principal, while krbtgt@ISD.USC.EDU has =
the
> DISALLOW_ALL_TIX attribute.=20
OK, so going back, I find that
krbtgt/ISD.USC.EDU@ISD.USC.EDU is for crossrealm trust.
krbtgt@ISD.USC.EDU was our original tgt.
However, now all tickets seem to be coming from
krbtgt/ISD.USC.EDU@ISD.USC.EDU. Now the person who setup
krbtgt/ISD.USC.EDU@ISD.USC.EDU and the cross-realm trust was 2 admins ago -
did they make a mistake, or is this a bug in kerb, or is this expected
behavior?
In other words, my klist looks like this:
[phil@frantic phil]$ klist
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil@ISD.USC.EDU
Valid starting Expires Service principal
07/07/05 14:34:25 07/08/05 00:34:23 krbtgt/ISD.USC.EDU@ISD.USC.EDU
[phil@frantic phil]$=20
But I would think it SHOULD look like this:
[phil@frantic phil]$ klist
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil@ISD.USC.EDU
Valid starting Expires Service principal
07/07/05 14:34:25 07/08/05 00:34:23 krbtgt@ISD.USC.EDU
[phil@frantic phil]$=20
I get the eerie feeling that this is due to a misconfiguration of our
cross-realm trust...
Hmmm.
--=20
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427
--Y46NoIcKQuicSz3X
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFCzckP7lkZ1Iyv898RAvGJAJ9hA5ybqyXFQFmkj5rq+sc6ZNr3oQCeM7dg
D9f4PgXBE7hOIQ0yaPc2Fos=
=o8lb
-----END PGP SIGNATURE-----
--Y46NoIcKQuicSz3X--
--===============60445140235259531==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============60445140235259531==--
