Hi all,
After some time, I'm finally getting around to putting my personal cell back up
(this time on debian with openafs-1.6.4 from wheezy-backports and Heimdal.
My afs/cell principal is setup thusly:
kadmin> get afs/coyhile.com
Principal: afs/[email protected]
Principal expires: never
Password expires: never
Last password change: 2013-07-19 10:00:32 UTC
Max ticket life: 1 day
Max renewable life: 1 week
Kvno: 3
Mkvno: unknown
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2013-07-19 10:00:32 UTC
Modifier: kadmin/[email protected]
Attributes:
Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[3],
des3-cbc-sha1(pw-salt)[3], arcfour-hmac-md5(pw-salt)[3],
des-cbc-md5(pw-salt())[3]
PK-INIT ACL:
Aliases:
kadmin> ext -k AFSKEYFILE:/etc/openafs/server/KeyFile afs/coyhile.com
kadmin>
and in krb5.conf, I do have allow_weak_crypto = true in libdefaults.
All in all, Heimdal is working fine, but aklog is failing to get me tokens:
chaos:/var/log # kinit admin
[email protected]'s Password:
chaos:/var/log # klist
Credentials cache: FILE:/tmp/krb5cc_1141449863_q94vTe
Principal: [email protected]
Issued Expires Principal
Jul 19 10:07:40 2013 Jul 20 10:07:36 2013 krbtgt/[email protected]
Jul 19 10:07:40 2013 Jul 20 10:07:36 2013 afs/[email protected]
chaos:/var/log # aklog -d
Authenticating to cell coyhile.com (server chaos.coyhile.com).
Trying to authenticate to user's realm COYHILE.COM.
Getting tickets: afs/[email protected]
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get coyhile.com AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
chaos:/var/log #
and in the KDC logs, I see this:
2013-07-19T10:07:40 ENC-TS Pre-authentication succeeded -- [email protected]
using aes256-cts-hmac-sha1-96
2013-07-19T10:07:40 ENC-TS pre-authentication succeeded -- [email protected]
2013-07-19T10:07:40 AS-REQ authtime: 2013-07-19T10:07:40 starttime: unset
endtime: 2013-07-20T10:07:36 renew till: 2013-07-26T10:07:36
2013-07-19T10:07:40 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
des-cbc-md5, des-cbc-md4, des-cbc-crc, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2013-07-19T10:07:40 Requested flags: renewable, forwardable
2013-07-19T10:07:40 sending 738 bytes to IPv4:37.153.98.57
2013-07-19T10:07:40 TGS-REQ [email protected] from IPv4:37.153.98.57 for
afs/[email protected] [canonicalize, renewable, forwardable]
2013-07-19T10:07:40 Server (afs/[email protected]) has no support for
etypes
2013-07-19T10:07:40 Failed building TGS-REP to IPv4:37.153.98.57
2013-07-19T10:07:40 tgs-req: sending error: -1765328370 to client
Does *everything* need a DES key, or just the afs/cell principal?
-c
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
