Steve Devine <[EMAIL PROTECTED]> wrote: > Does the order of the enctypes listed in the kdc affect this? > This is my current kdc.conf entry: > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > des-cbc-crc:v4 des-cbc-crc:afs3 > I'm not sure how to manipulate the kvno on the AD
I currently have the following on a KDC with an AD domain trust: supported_enctypes = aes256-cts:normal aes128-cts:normal rc4-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal I suspect that you may want at least the rc4-hmac:normal in that list, as that is one of the enc_types that AD supports. I remember that I had no luck getting the trust to work when using specific enc_types in the -e option to ktadd. Completely omiting the "-e" seemed to work though. This could be something odd in my environment though. For instance, my cross-realm TGT has AES enc_types that are not actually supported by Windows: kadmin.local: getprinc krbtgt/[EMAIL PROTECTED] Principal: krbtgt/[EMAIL PROTECTED] Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, ArcFour with HMAC/md5, no salt You can turn on RC4 for the realm trust using ktpass.exe. If you join #kerberos on Freenode IRC there are smart people in the channel who can help you with this. <<CDC _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
