[OpenAFS] OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Thu, 05 Jan 2012 07:12:04 -0800

As part of an AFS/Kerberos upgrade project I am building a test cell to mimic what we may eventually have in production by using Microsoft Active Directory as my KDC. This test cell has one Windows Server 2008 R2 box running Active Directory and one RHEL 6.1 box with the OpenAFS software running on it.
I'm following the guide and the 'Verifying the AFS Initialization Script' section where aklog is ran for the first time is where I am stuck. I can kinit and get a ticket from AD but when I aklog I get an error: 

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting     Expires            Service principal
01/05/12 09:35:12  01/05/12 19:35:14  krbtgt/[email protected]
        renew until 01/12/12 09:35:12

$ aklog
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets


It seems that error means the KDC does not support DES-CBC-CRC.  I added 
'allow_weak_crypto = true' to /etc/krb5.conf, same error.  I created a 
GPO in AD which allows DES-CBC-CRC and applied this GPO to the 'Domain 
Controllers' container.  Same error with aklog.  What else do I have to 
do to make DES-CBC-CRC work in Active Directory 2008?



I noticed there is a box which says 'Use Kerberos DES encryption types 
for this account' in the settings of each account, do I need to set 
that?  Just on the afs principal/user or on every user of AFS in the 
realm?  I exported the key for the afs principal from AD using 'ktpass 
-princ afs/[email protected] -mapuser afs -pass * -crypto DES-CBC-MD5 
-out afs.keytab'.  Do I need to do the export and asetkey again after 
the changes I made?



Also, is there a way to have all our users in AD without enabling DES?  
I recall hearing that it was possible by having an MIT Kerberos box to 
hold the AFS principal alone with DES enabled but have all the user 
principals in AD without DES.


--
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to