This is not going to be an OpenAFS issue. OpenAFS always requests a DES-CBC-CRC enctype in aklog (or equivalent.) The treatment of DES-CBC-CRC, DES-CBC-MD5, and DES-CBC-MD4 as aliases is up to the KDC and the Kerberos library.
Jeffrey Altman On 5/13/2013 2:07 AM, Anders Lennartsson wrote: > On Sun, 2013-05-12, at 19:35:24 -0400, Benjamin Kaduk wrote: >> On Sat, 11 May 2013, Anders Lennartsson wrote: >> >>> What enctypes are actually supported by OpenAFS 1.6.1? >>> >>> I recently upgraded from 1.4 to 1.6.1 (in Debian Wheezy) by a new >>> install. There are several computers: a Heimdal 1.6 kdc, a 1.6.1 afs >>> service, and some Linux and Windows 7 clients. >>> >>> An afs principal with (only) a des-cbc-md5 key works fine with Linux >>> clients. But the Heimdal 1.5.1 for Windows refuses to get afs tokens >>> based on that. >>> >>> After replacing afs principal with one having only a des-cbc-crc key >>> (and extracting a new KeyFile etc) both Linux and Windows clients work >>> fine. >>> >>> Why is this so? >> >> This is before my time, but I believe that MIT krb5 blacklists >> des-cbc-md5 due to there once having been a deployed buggy >> implementation. (I did not think Heimdal was affected, though.) >> des-cbc-crc and des-cbc-md5 keys are usable equivalently by AFS, of >> course. >> >> You did not say which version of OpenAFS the windows client runs. >> >> -Ben Kaduk > > The following versions are playing here: > > Heimdal KDC 1.6~git20120403+dfsg1-2 (Debian Wheezy) > OpenAFS [db|file]server 1.6.1-3 (Debian Wheezy) > > Linux clients > OpenAFS Linux 1.6.1-3 > Heimdal client stuff 1.6~git20120403+dfsg1-2 (Debian Wheezy) > > Windows clients > Heimdal 1.5.1 (Secure Endpoints) > Network Identity Manager 2.0 (Secure Endpoints) > OpenAFS Client 1.7.21 or 1.7.24 > > All computers have allow_weak_crypto = true in the corresponding krb > configuration file. > > Linux servers and clients work fine with either des-cbc-md5 or > des-cbc-crc keytype in the afs principal. Windows clients can not get > afs tokens if des-cbc-md5 keytype is used, but works fine if > des-cbc-crc is used. > > On the page http://wiki.openafs.org/AdminFAQ/, question 3.56 (perhaps > recently added?) an explanation is given (for the error number I got) > that des-cbc-crc must be used. I would have guessed that des-cbc-md5 > could also be used, at least with Windows 1.7.x clients. > > In summary, I seek confirmation that this applies to 1.7 Win clients > and perhaps an explanation why des-cbc-md5 works on Linux but not Win. > > Anders > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info >
smime.p7s
Description: S/MIME Cryptographic Signature
