Eric Chris Garrison wrote: > Okay, we continue to fight this. We found that despite having an > alternate realm name in /usr/afs/etc/krb.conf, users from that realm were > being treated as unauthorized, anonymous users, rather than being mapped > as they should be. > > We looked into enctypes as a possible culprit. We were using des-cbc-crc, > but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can > not restrict it to just one type, but can restrict it to just DES types. > (The ADS admin said they set the "Use Kerberos DES encryption types" flag).
des-cbc-md5 is fine. after you set the DES-only bit you need to generate assign a new password for the account and re-export the keytab with a new kvno which then needs to be imported into the AFS KeyFile Jeffrey Altman _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
