Lars:
I did get past the issuing of DES tickets. I have other problems (see my
recent message to the list), but I did enable DES tickets on 2008R2. I did
the following (not all may be required).
- In the DC's Local Security Policy, I enabled all ciphers by checking all
6 boxes at Security Settings \ Local Policies \ Security Options \ "Network
security: Configure encryption types allowed for Kerberos"
- In AD in the Default Domain Controllers Policy, Computer Configuration \
Policies \ Administrative Templates \ Ssytem/Net Logon \ "Allow
cryptography algorithms compatible with Windows NT 4.0" (Enable). [I'd bet
this step isn't necessary; I was grasping when I tried it and haven't
backed out to check yet.]
- Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value
1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the DC won't
talk DES to clients, even if you do extract a DES-only keytab (you'll see
"KDC has no support for encryption type" messages).
- Reboot the DC (at least restart the KDC process is required)
- Create your afscell account in AD.
- Checked "Use Kerberos DES encryption types for this account" on the
Account tab of the afscell user account in AD. I'd also recommend password
never expires.
- Extract the keytab similarly to this. Adjust to taste:
ktpass -princ afs/celln...@addomainname -mapuser afsc...@addomainname
-mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly -ptype
KRB5_NT_PRINCIPAL +DumpSalt -kvno 3
Note that in my experience, your specified kvno must equal or exceed the
number of times the user's keytab has been extracted. If you specify a kvno
of 3, then go back and ask for a kvno of 1 for the same user account, you
won't get it (but you will get a keytab with the next higher kvno). It's
recommended to verify the kvno and the etype of the keytab using your
favorite method prior to importing into your afs keyfile.
Also, I had to delete and re-create my afscell user's account in AD after
making the changes to the DC detailed above to enable DES. Extracting a
keytab for an account made before the changes didn't work for me. Your
mileage may vary.
Cheers, Stephen
--
Stephen Joyce
Systems Administrator
PANIC - Physics and Astronomy Network Infrastructure and Computing
University of North Carolina at Chapel Hill
voice: 919.962.7214
fax: 919.962.0480
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
-Robert A. Heinlein
On Thu, 4 Mar 2010, Lars Schimmer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Sorry for a bit OT question:
I want to extend our AD with a Windows 2008R2 server with KDC enabled.
Now I know I need to enable DES enctype again to be able to use OpenAFS
with such a KDC, but I am a bit lost where to enable this.
Found a few point on google so far:
- -administrative tools for server
- -for each client seperate of the AD
But what is the real solution?
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f?r ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: [email protected]
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkuP1A0ACgkQmWhuE0qbFyNjAQCgi473Qem43r/cOepipBI0MNvR
DDEAn0Y8YmWl0UnGMQfFrwxoQTPNmY+W
=j10e
-----END PGP SIGNATURE-----
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
