Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials
Lars Schimmer
l.schimmer at cgv.tugraz.at
Tue Mar 16 10:20:11 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Douglas E. Engert wrote:
> Your problem is more of an OpenAFS problem in how it has to use
> DES. You should be ask on the OpenAFS list, as there
> have been similar issues before on setting up the afs/cell
> principal.
Maybe, maybe not. As it works with 2003, it is somehow problem of 2008R2
sending out the correct DES enctypes.
>>>>> What user are you using with the kinit?
>
> I did used the users with "use DES enctypes" enabled.
>
>> Only the AD account for the afs and afs/cell principals
>> need to have DES. All others can use the defaults.
Ok, good to know.
> Now I tried with the users without this function enabled and I get
> tickets. But no tokens :-(
> Error:
> adiotest:~# kinit schimmer
> Password for schimmer at CGV.TUGRAZ.AT:
> adiotest:~# aklog
> aklog: Couldn't get cgv.tugraz.at AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> adiotest:~# tokens
>
>
>> aklog -d will show some debug output.
>
>> What versions of OpenAFS and Kerberos are running on the client?
OpenAFS 1.4.11 from lenny-backports and krb5-user:
Installed: 1.8+dfsg~alpha1-7
On Win7 netID manager 1.3.1.0
> Tokens held by the Cache Manager:
>
> --End of list--
> adiotest:~#
>
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: schimmer at CGV.TUGRAZ.AT
>
> Valid starting Expires Service principal
> 03/10/10 10:18:24 03/11/10 10:18:24 krbtgt/CGV.TUGRAZ.AT at CGV.TUGRAZ.AT
> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>
> So looks like no DES enctype for OpenAFS.
>
>> You also said in a previous note:
>
> I set on the Win 2008R2:
> - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)
>
>
>> I don't recall asking our AD admin to make these registry changes in 2008
>> to get AFS to work. This may be your problem. It may override
>> the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the
>> account.
Hm.Other guys told me I have re re-enable the DES enctypes to use server
with OpenAFS again. But if the settings in the AD says "enable DES" - it
should be the same as "use DES enctypes" in the account, isn't it?
>> On the afs service account what are the values of the
>> msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber
>> attributes?
>
>> http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx
>> http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx
Got me - where to change those parts, in the account dteails of the
domain I do not see those.
Thank you so far.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkufk5oACgkQmWhuE0qbFyPMwgCfbfmIFbipTsbkR6tH+kQQjUuO
JB0AnRmn4vv/P6z9RoTf3RB1M1mhWtyH
=7LNa
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list