Re: [OpenAFS] Force crypto type

Wed, 24 Aug 2005 10:30:18 -0700 

You need to make the change on the Active Directory account.
You must set the "use DES only" flag and then set a new password.
You can then export the key so that it can be set within AFS
using asetkey.

You must be using a version of OpenAFS 1.3.xxx or the 1.3 Release
Candidate as Active Directory wants to use DES-CBC-MD5 and that enctype
is not understood by the 1.2 series servers.

Jeffrey Altman


Davis, Adam wrote:
>>From what I read with Win-2003 SP1 KDC you can force the encryption type
> to be something that AFS can use. i.e cbc-crc cbc-md5
> 
> 
> I have tried all the following without success in krb5.conf
> 
>       default_tkt_enctypes = des-cbc-crc,des-cbc-md5
>       default_tgs_enctypes = des-cbc-crc,des-cbc-md5
>       default_etypes = des-cbc-crc,des-cbc-md5
>       default_etypes_des = des-cbc-crc,des-cbc-md5
>       permitted_enctypes =des-cbc-crc des-cbc-md5 des-cbc-crc
> 
> I can force the skey part of the Etype to be CRC by the looks of it but
> I still end up with ArcFour MD5 in the second part.
> 
> 
> -bash-2.05b# klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]
>  
> Valid starting     Expires            Service principal
> 08/24/05 13:15:23  08/24/05 23:15:23  krbtgt/[EMAIL PROTECTED]
>         Flags: IA, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour
> with HMAC/md5 
> 08/24/05 13:16:11  08/24/05 23:15:23  afs/[EMAIL PROTECTED]
>         Flags: A, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc
> mode with RSA-MD5
>  
> 
> 
> Am I missing something here ? I am guessing that this is not working
> because of the encryption type and not something else I am doing wrong 
> 
> Regards
> 
> Adam....
> _______________________________________________
> OpenAFS-info mailing list
> [email protected]
> https://lists.openafs.org/mailman/listinfo/openafs-info

begin:vcard
fn:Jeffrey Altman
n:Altman;Jeffrey
org:Secure Endpoints Inc.
adr:;;255 W 94TH ST PHB;NEW YORK;NY;10025;United States
email;internet:[EMAIL PROTECTED]
title:President
tel;work:+1 212 769-9018
x-mozilla-html:TRUE
url:http://www.secure-endpoints.com
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to