Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials

Lars Schimmer l.schimmer at cgv.tugraz.at
Tue Mar 9 05:06:16 EST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I want to setup a Windows 2008R2 server as a AD with a KDC to obtian
krb5 tickets and later on obtain OpenAFS tokens with these tickets.

Our setup:
running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc
on it.
User, service principal afs for OpenAFS, works good so far.

I added a second server with Windows 2008R2, added 2nd server to the AD
domain and raised 2nd server as AD server.

I set on the Win 2008R2:
- - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
- - In the DC's Local Security Policy, I enabled all ciphers by checking
all 6 boxes at Security Settings \ Local Policies \ Security Options \
"Network security: Configure encryption types allowed for Kerberos"
- - I set "use DES enctypes" for some test users (it was enabled for the
afs service principal)

I restarted the Win 2008R2 and setp a test client with Debian and krb5
version 1.8+dfsg~alpha1-7.
I have a windows 7 enterprise test machine, to.

On debian client I set the:

 allow_weak_crypto = true
option in krb5.conf.

With the Win 2003 kdc server I could obtian tickets and tokens.
If I set the Win2008R2 server active in krb5.conf I get the:
kinit: KDC has no support for encryption type while getting initial
credentials
error.
This error appears on Win7 with Network ID Manager 1.3.1.0, to.

Any idea how I can set the win2008R2 active to send out valid tickets
from which I could obtain OpenAFS tokens?


MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuWHZgACgkQmWhuE0qbFyMV6ACeOeP2w4xrYta+kLAWrn9LkeeD
+AkAn2bpcViL1AVqB4NkUdV51aM26P/Q
=D6aU
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list