Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials

Douglas E. Engert deengert at anl.gov
Tue Mar 9 11:48:25 EST 2010



Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi!
> 
> I want to setup a Windows 2008R2 server as a AD with a KDC to obtian
> krb5 tickets and later on obtain OpenAFS tokens with these tickets.
> 
> Our setup:
> running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc
> on it.
> User, service principal afs for OpenAFS, works good so far.
> 
> I added a second server with Windows 2008R2, added 2nd server to the AD
> domain and raised 2nd server as AD server.
> 
> I set on the Win 2008R2:
> - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)
> 
> I restarted the Win 2008R2 and setp a test client with Debian and krb5
> version 1.8+dfsg~alpha1-7.
> I have a windows 7 enterprise test machine, to.
> 
> On debian client I set the:
> 
>  allow_weak_crypto = true
> option in krb5.conf.
> 
> With the Win 2003 kdc server I could obtian tickets and tokens.
> If I set the Win2008R2 server active in krb5.conf I get the:
> kinit: KDC has no support for encryption type while getting initial
> credentials
> error.

What user are you using with the kinit?
Does a network trace show anything?

We have seen issues with using the kinit -k  with a keytab
if the keytab does not have the highest enctype both client and server
support (AES256).

All of our DCs are now 2008R2, and afs aklog works well on
and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7 clients.

> This error appears on Win7 with Network ID Manager 1.3.1.0, to.
> 
> Any idea how I can set the win2008R2 active to send out valid tickets
> from which I could obtain OpenAFS tokens?
> 
> 
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut für ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
> Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkuWHZgACgkQmWhuE0qbFyMV6ACeOeP2w4xrYta+kLAWrn9LkeeD
> +AkAn2bpcViL1AVqB4NkUdV51aM26P/Q
> =D6aU
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list