Your problem is more of an OpenAFS problem in how it has to use DES. You should be ask on the OpenAFS list, as there have been similar issues before on setting up the afs/cell principal.
Lars Schimmer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Douglas E. Engert wrote: >> > >>> What user are you using with the kinit? > > I did used the users with "use DES enctypes" enabled. Only the AD account for the afs and afs/cell principals need to have DES. All others can use the defaults. > Now I tried with the users without this function enabled and I get > tickets. But no tokens :-( > Error: > adiotest:~# kinit schimmer > Password for [email protected]: > adiotest:~# aklog > aklog: Couldn't get cgv.tugraz.at AFS tickets: > aklog: unknown RPC error (-1765328370) while getting AFS tickets > adiotest:~# tokens > aklog -d will show some debug output. What versions of OpenAFS and Kerberos are running on the client? > Tokens held by the Cache Manager: > > --End of list-- > adiotest:~# > > klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/10/10 10:18:24 03/11/10 10:18:24 krbtgt/[email protected] > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 > > So looks like no DES enctype for OpenAFS. You also said in a previous note: > I set on the Win 2008R2: > - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with > value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. > - - In the DC's Local Security Policy, I enabled all ciphers by checking > all 6 boxes at Security Settings \ Local Policies \ Security Options \ > "Network security: Configure encryption types allowed for Kerberos" > - - I set "use DES enctypes" for some test users (it was enabled for the > afs service principal) I don't recall asking our AD admin to make these registry changes in 2008 to get AFS to work. This may be your problem. It may override the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the account. On the afs service account what are the values of the msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber attributes? http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx > But I need DES enctypes. > >>> Does a network trace show anything? > > Not so far yet. Wireshark can show the AS-REQ when aklog requests the ticket for afs/afs/cgv.tugraz.at, and the AS-REP or ERROR packet returned. > >>> We have seen issues with using the kinit -k with a keytab >>> if the keytab does not have the highest enctype both client and server >>> support (AES256). > > I want to obtain tokens with the PAM module later on (and on Windows 7 > while login, I never used the -k option so far). > >>> All of our DCs are now 2008R2, and afs aklog works well on >>> and Solaris 9 and 10; Ubuntu Dapper-Karmic; Windows XP, Vista and W7 >>> clients. > > I want that setup, to. But how do I enable the DES enctypes.... > > Thank you so far. > > MfG, > Lars Schimmer > - -- > - ------------------------------------------------------------- > TU Graz, Institut für ComputerGraphik & WissensVisualisierung > Tel: +43 316 873-5405 E-Mail: [email protected] > Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkuXZFAACgkQmWhuE0qbFyO+/ACfZeLhC4QIOMfqps3lcfn3ZSt9 > UMAAn23FFFLy4UezmaBUuD96sX48Y2Ja > =/uXf > -----END PGP SIGNATURE----- > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
