Subject: kerb problems (Re: can't migrate master key to Heimdal)
To: Aidan Cully <aidan@kublai.com>
From: one more medicated peaceful moment <dive@endersgame.net>
List: tech-crypto
Date: 07/01/2000 21:56:57
I have been having problems with kerberos since going to 1.5 as well, on
my system i cant figure out how to make it *not* try and authenticate with
kerberos... so login/su/etc all try to find a krb realm and block for a
few seconds while they wait for the gethostbyname to timeout. I sent a pr
about this and recieved no response, does anyone know how to fix it?

On Sat, 1 Jul 2000, Aidan Cully wrote:

> Date: Sat, 1 Jul 2000 14:58:56 -0400
> From: Aidan Cully <aidan@kublai.com>
> To: tech-crypto@netbsd.org, current-users@netbsd.org
> Subject: can't migrate master key to Heimdal
> 
> Now that crypto-us is gone, and replaced with the old crypto-intl, I
> thought it might be a good time to start experimenting with Heimdal.
> So I tried to migrate my old KDC to Heimdal.  gurk.
> 
> First: the master_key file is in a different format.  I have to write
> a little utility for my local db to rewrite the contents of the
> master_key in a format that Heimdal can understand.  Fine, a few
> iterations of working out how the interface to encode_EncryptionKey
> works go by, and the utility is written.  I've got my master key in
> ASN.1 encoding on my hard drive.
> 
> Second: Heimdal refuses outright all master keys that aren't enctype
> ETYPE_DES_CBC_MD5.  Mine was ETYPE_DES_CBC_CRC.  I haven't dug around
> enough to find out if it won't also accept DES_CBC_CRC...  I strongly
> suspect that it won't.  The point is: AAARRRGGGHHH!!!
> I think, for me, the quickest solution will be a utility to migrate
> the principal.db to a different master key.  I've thought for a while
> that such a utility was necessary...  I guess it's time to get it out
> of the way.  We'll see how things go after that...
> 
> The moral is, don't try to migrate your MIT KDCs to Heimdal, yet.  As
> far as I can see, there isn't an upgrade path available.
> 
> --aidan
>