On Sun, Apr 17, 2011 at 6:53 PM, Jeffrey Altman <[email protected]> wrote: > On 4/17/2011 9:35 PM, Thomas Smith wrote: >> Hi, >> >> Our AD admins replaced our local DC. We were working great when the DC >> was Win2k3--since they replaced it with a Win2k8 DC, > > Win2K8 disables the DES enctype by default. It must be enabled for AFS > tokens.
Thanks Jeffrey. Our AD admins have made this change--they enabled DES-CBC-MD5 (they left DES-CBC-CRC disabled). We found another issue, though... It seems that this RODC is creating issues for us. What appears to be happening is the RODC issues the server a TGT. When the server attempts to acquire a TGS, the RODC forwards the request to an RWDC but that server doesn't honor the TGT issued by the RODC. We were able to workaround this issue by forcing kerberos to connect to an RWDC. We verified functionality by successfully enumerating AD user accounts. With kerberos working now, and with DES-CBC-MD5 enabled, we are still getting at the same RPC error. It's my understanding that AFS uses the local krb5 install for authentication--is this the case? _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
