The 1.10 Kerberos distribution does not support weak encryption types such as DES out of the box. If you do not explicitly enable support for weak encryption types it won't matter what keys you have on service principals or what other configuration is specified, weak encryption keys simply will not be used. This is an incremental step towards the removal of weak encryption types such as DES from the Kerberos ecosystem.
The AFS service principal must have a working DES key. If it doesn't, you cannot obtain service tickets for AFS that are usable. On 4/4/2012 10:04 AM, Steve Devine wrote: > MSU is preparing to upgrade from MIT Kerberos 1.6x to 1.10.1. While > doing some testing of client access I discovered that I was not able to > get a token (aklog) after kinit-ing to the test server. > In order to make this work we needed to put the following line in the > /etc/krb5.conf on the Kerberos KDC. > allow_weak_crypto = true > > This seems odd to me. I expected to need doing this on the client side > not the server. This is related to the afs principal in the KDC no > doubt, but I'm not sure why. Any thoughts? > > If this question belongs on the Kerberos list let me know. > > Thanks > > Steve Devine > Content and Collaboration > Information Technology Services > Michigan State University > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info
signature.asc
Description: OpenPGP digital signature
