Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials

Douglas E. Engert deengert at anl.gov
Wed Mar 10 10:42:21 EST 2010 

Your problem is more of an OpenAFS problem in how it has to use
DES. You should be ask on the OpenAFS list, as there
have been similar issues before on setting up the afs/cell
principal.

Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Douglas E. Engert wrote:
>>
> 
>>> What user are you using with the kinit?
> 
> I did used the users with "use DES enctypes" enabled.

Only the AD account for the afs and afs/cell principals
need to have DES. All others can use the defaults.

> Now I tried with the users without this function enabled and I get
> tickets. But no tokens :-(
> Error:
> adiotest:~# kinit schimmer
> Password for schimmer at CGV.TUGRAZ.AT:
> adiotest:~# aklog
> aklog: Couldn't get cgv.tugraz.at AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> adiotest:~# tokens
> 

aklog -d   will show some debug output.

What versions of OpenAFS and Kerberos are running on the client?


> Tokens held by the Cache Manager:
> 
>    --End of list--
> adiotest:~#
> 
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: schimmer at CGV.TUGRAZ.AT
> 
> Valid starting     Expires            Service principal
> 03/10/10 10:18:24  03/11/10 10:18:24  krbtgt/CGV.TUGRAZ.AT at CGV.TUGRAZ.AT
>         Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> 
> So looks like no DES enctype for OpenAFS.

You also said in a previous note:

> I set on the Win 2008R2:
> - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)


I don't recall asking our AD admin to make these registry changes in 2008
to get AFS to work. This may be your problem. It may override
the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the account.

On the afs service account what are the values of the
msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber
attributes?

http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx
http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx


> But I need DES enctypes.
> 
>>> Does a network trace show anything?
> 
> Not so far yet.

Wireshark can show the AS-REQ when aklog requests the ticket
for afs/afs/cgv.tugraz.at, and the AS-REP or ERROR packet returned.


> 
>>> We have seen issues with using the kinit -k  with a keytab
>>> if the keytab does not have the highest enctype both client and server
>>> support (AES256).
> 
> I want to obtain tokens with the PAM module later on (and on Windows 7
> while login, I never used the -k option so far).
> 
>>> All of our DCs are now 2008R2, and afs aklog works well on
>>> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7
>>> clients.
> 
> I want that setup, to. But how do I enable the DES enctypes....
> 
> Thank you so far.
> 
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut für ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
> Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkuXZFAACgkQmWhuE0qbFyO+/ACfZeLhC4QIOMfqps3lcfn3ZSt9
> UMAAn23FFFLy4UezmaBUuD96sX48Y2Ja
> =/uXf
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list