On 7/30/13 14:39, "John Sopko" <[email protected]> wrote: >Where is the session key for the afs/cell@REALM service principal >derived from? If I remove the des-cbc-crc encryption type from both the >afs/cell@REALM and the user principals will things still work without >having to upgrade all clients to openafs 1.6.5?
User principals only require des-cbc-crc if you are using klog via ka-forwarder or Heimdal's "kdc --kaserver"; aklog can handle non-des user principals fine. In any AFS release before 1.6.5, and even in 1.6.5 if you have not set up rxkad.keytab, the afs/cell principal *must* have des-cbc-crc. >But when I create a user or a user changes their passwd they do not get >the "des-cbc-crc" encryption type, for example kadmin for a user shows: Check krb5.conf as well as kdc.conf. Also I would disable or preferably remove *all* of the des keys for principals other than afs/cell, not just des-cbc-crc. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad
