RE: [OpenAFS] ad+openafs

[Brandon Allbery]

-1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that DES is disabled 
somewhere. Note that the client library *also* needs DES enabled; you might 
need to add to the [libdefaults] section of /etc/krb5.conf on the RH system,

    allow_weak_crypto = true

From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On 
Behalf Of zhaoxy...@ustc.edu.cn
Sent: Tuesday, May 3, 2016 4:39 AM
To: openafs-info@openafs.org
Subject: [OpenAFS] ad+openafs


hi

i install openafs1.6.14 on redhat 6.7 and i want to use the ad as krb5 auth .

here is my steps:

1  install openafs1.6.14 on redhat6.7

2  install ad on windows 2008 r2

3  ktpass -princ afs/cellname@ADDOMAINNAME -mapuser afscell@ADDOMAINNAME \ 
-mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly \ -ptype 
KRB5_NT_PRINCIPAL +DumpSalt )

4 use kinit wang

   aklog

[root@test-afs002 ]# klist -e -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: w...@pc.com<mailto:w...@pc.com>

Valid starting     Expires            Service principal
05/03/16 16:26:46  05/04/16 02:26:33  
krbtgt/pc....@pc.com<mailto:krbtgt/pc....@pc.com>
        renew until 05/10/16 16:26:46, Flags: FRIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
05/03/16 16:27:04  05/04/16 02:26:33  
afs/pc....@pc.com<mailto:afs/pc....@pc.com>
        renew until 05/10/16 16:26:46, Flags: FRA
        Etype (skey, tkt): arcfour-hmac, arcfour-hmac
[root@test-afs002 ]# ls /afs/pc.com/
ls: cannot open directory /afs/pc.com/: Permission denied
[root@test-afs002 ]#

if Create a afs user in the AD as a normal user with the login afs, set user 
cannot change passwordd, password never expires. Try to set "Use Kerberos DES 
encryption types for this account" on the Account tab. then when i use the 
command

[root@test-afs002 ]# kinit wang
Password for w...@pc.com<mailto:w...@pc.com>:
[root@test-afs002 ]# aklog
aklog: Couldn't get pc.com AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
[root@test-afs002 ]#

i configure the ad follow the web 
https://wiki.openafs.org/win2008r2adaskdc/,but i can't find what is wrong with 
me ?can you tell me ?

thanks