On Sun, 2013-05-12, at 19:35:24 -0400, Benjamin Kaduk wrote: > On Sat, 11 May 2013, Anders Lennartsson wrote: > > >What enctypes are actually supported by OpenAFS 1.6.1? > > > >I recently upgraded from 1.4 to 1.6.1 (in Debian Wheezy) by a new > >install. There are several computers: a Heimdal 1.6 kdc, a 1.6.1 afs > >service, and some Linux and Windows 7 clients. > > > >An afs principal with (only) a des-cbc-md5 key works fine with Linux > >clients. But the Heimdal 1.5.1 for Windows refuses to get afs tokens > >based on that. > > > >After replacing afs principal with one having only a des-cbc-crc key > >(and extracting a new KeyFile etc) both Linux and Windows clients work > >fine. > > > >Why is this so? > > This is before my time, but I believe that MIT krb5 blacklists > des-cbc-md5 due to there once having been a deployed buggy > implementation. (I did not think Heimdal was affected, though.) > des-cbc-crc and des-cbc-md5 keys are usable equivalently by AFS, of > course. > > You did not say which version of OpenAFS the windows client runs. > > -Ben Kaduk
The following versions are playing here: Heimdal KDC 1.6~git20120403+dfsg1-2 (Debian Wheezy) OpenAFS [db|file]server 1.6.1-3 (Debian Wheezy) Linux clients OpenAFS Linux 1.6.1-3 Heimdal client stuff 1.6~git20120403+dfsg1-2 (Debian Wheezy) Windows clients Heimdal 1.5.1 (Secure Endpoints) Network Identity Manager 2.0 (Secure Endpoints) OpenAFS Client 1.7.21 or 1.7.24 All computers have allow_weak_crypto = true in the corresponding krb configuration file. Linux servers and clients work fine with either des-cbc-md5 or des-cbc-crc keytype in the afs principal. Windows clients can not get afs tokens if des-cbc-md5 keytype is used, but works fine if des-cbc-crc is used. On the page http://wiki.openafs.org/AdminFAQ/, question 3.56 (perhaps recently added?) an explanation is given (for the error number I got) that des-cbc-crc must be used. I would have guessed that des-cbc-md5 could also be used, at least with Windows 1.7.x clients. In summary, I seek confirmation that this applies to 1.7 Win clients and perhaps an explanation why des-cbc-md5 works on Linux but not Win. Anders _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
