Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials

Lars Schimmer l.schimmer at cgv.tugraz.at
Wed Mar 10 04:20:16 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Douglas E. Engert wrote:
> 
> 

>> What user are you using with the kinit?

I did used the users with "use DES enctypes" enabled.
Now I tried with the users without this function enabled and I get
tickets. But no tokens :-(
Error:
adiotest:~# kinit schimmer
Password for schimmer at CGV.TUGRAZ.AT:
adiotest:~# aklog
aklog: Couldn't get cgv.tugraz.at AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
adiotest:~# tokens

Tokens held by the Cache Manager:

   --End of list--
adiotest:~#

klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: schimmer at CGV.TUGRAZ.AT

Valid starting     Expires            Service principal
03/10/10 10:18:24  03/11/10 10:18:24  krbtgt/CGV.TUGRAZ.AT at CGV.TUGRAZ.AT
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

So looks like no DES enctype for OpenAFS.
But I need DES enctypes.

>> Does a network trace show anything?

Not so far yet.

>> We have seen issues with using the kinit -k  with a keytab
>> if the keytab does not have the highest enctype both client and server
>> support (AES256).

I want to obtain tokens with the PAM module later on (and on Windows 7
while login, I never used the -k option so far).

>> All of our DCs are now 2008R2, and afs aklog works well on
>> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7
>> clients.

I want that setup, to. But how do I enable the DES enctypes....

Thank you so far.

MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuXZFAACgkQmWhuE0qbFyO+/ACfZeLhC4QIOMfqps3lcfn3ZSt9
UMAAn23FFFLy4UezmaBUuD96sX48Y2Ja
=/uXf
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list