On 2013-07-25 17:55, Andrew Deason wrote: > On Thu, 25 Jul 2013 11:36:52 -0400 (EDT) > Benjamin Kaduk <[email protected]> wrote: > >> The short version is: a misconfigured KDC can cause problems for new >> clients against old servers. > > If that's true, we need to say specifically what that misconfiguration > is, so people can check for them and avoid it. I'm not aware of any way > to create such a configuration (that behavior sounds instead like a KDC > bug to me, without knowing any further details). > > In particular with AD, the AFS service account must already have the > USE_DES_KEY_ONLY userAccountControl bit set in order for us to work at > all with plain rxkad. Lars, do you know if the "Use Kerberos DES > encryption types for this account" account option is checked for the AFS > service account? Do you see any errors in wherever the Windows client > normally logs errors? Can you access that path if you destroy your > tokens?
It is a bit more subtile. Yes, the AFS service account has DES only activated. klist -e on liunux shows me: 2013-07-26 08:50:42 2013-07-27 08:51:58 afs/[email protected] Etype (skey, tkt): des-cbc-crc, des-cbc-crc (on a still old client). I updated 3 clients for a test on windows 7 to 1.7.26. One works fine, two show me a valid token on login, but the AfS path is not reachable at all ( \\AFS\.cgv.tugraz.at not reachable). MfG, Lars Schimmer -- ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [email protected] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
signature.asc
Description: OpenPGP digital signature
