On 3/21/2010 5:40 PM, Tom Mukunnemkeril wrote: > I went and upgraded all my server/client linux systems to Kerberos 1.8 > and openafs 1.4.12. From the posts I have read here: > https://lists.openafs.org/pipermail/openafs-info/2010-March/033059.html > I was under the impression I didn't have to modify krb5.conf to allow > weak encryption because something was enabled so that aklog was able to > get tokens with the encryption. > > However, it appears I still have to modify the krb5.conf to allow it. > Otherwise I see this error in aklog > r...@goro:/etc# aklog -d > > Getting tickets: [email protected] > Kerberos error code returned by get_cred : -1765328370 > aklog: Couldn't get bandaleros.net AFS tickets: > aklog: unknown RPC error (-1765328370) while getting AFS tickets > > The krb5kdc log also indicates that the KDC has no support for > encryption type.
The change to aklog permits the client machines to not have their krb5.conf modified to permit weak enctypes. However, the KDC krb5.conf still has to be updated. Otherwise, the KDC will not offer the DES enctype in the first place. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
