Eric Chris Garrison <[email protected]> writes: > So, we got a des-crc-md5 service principal from our ADS admin. Now the > ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on > the server side. > > After aklog, this is what klist shows for afs/afstest.iu.edu: > 07/16/09 14:43:22 07/17/09 00:43:12 afs/[email protected] > renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode > with CRC-32, DES cbc mode with RSA-MD5 > > In FileLog: > Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0 > > That 0 should be 2 for properly authenticated connections. At first it > failed because the enctype wasn't supported. Now that they have that > DES flag set in the kdc, it fails because it can't decrypt the encrypted > part of the k5 ticket.
Did you update KeyFile with the new service principal that you got from your ADS admin and make sure that the kvno in KeyFile matches the kvno in Active Directory? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
