On 3/27/2012 6:53 PM, Stefan Michael Guenther wrote: > Hi, > >> https://lists.openafs.org/pipermail/openafs-info/2011-June/036188.html >> > "In other words, your KDC has support for DES-CBC-CRC turned off." > > Hm, in my /etc/krb5kdc/kdc.conf the list of enctypes contains des-cbc-crc: > > supported_enctypes = aes256-cts:normal arcfour-hmac:normal > des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm > des:onlyrealm des:afs3 > > Shouldn't this be enough? > > Stefan
No. MIT Kerberos 1.9.x does not support DES enctypes by default. You must enable the support via the [libdefaults] enable_weak_crypto = true option. http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.3/doc/krb5-admin.html#libdefaults In addition, you need to have the DES-CBC-CRC enctype specified on the afs service principal. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
