On Mon, Apr 18, 2011 at 1:06 PM, Thomas Smith <[email protected]> wrote: > It seems that this RODC is creating issues for us. What appears to be > happening is the RODC issues the server a TGT. When the server > attempts to acquire a TGS, the RODC forwards the request to an RWDC > but that server doesn't honor the TGT issued by the RODC. We were able > to workaround this issue by forcing kerberos to connect to an RWDC. We > verified functionality by successfully enumerating AD user accounts. > > With kerberos working now, and with DES-CBC-MD5 enabled, we are still > getting at the same RPC error. It's my understanding that AFS uses the > local krb5 install for authentication--is this the case?
Just a guess, from a Kerberos newbie: fire up wireshark and see what type your client is asking for in the AS-REQ and/or TGS-REQ. I believe Microsoft's RODCs insist on NT_SRV_INST, and AFS's aklog may be failing because the principal type is NT_UNKNOWN. It would match your "Decrypt integrity check failed" error. See the discussions at MIT: http://permalink.gmane.org/gmane.comp.encryption.kerberos.devel/9232 Heimdal: http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5586 Samba: http://lists.samba.org/archive/samba-technical/2010-September/073493.html _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
