We're looking at moving to the AuriStor AFS client for our Windows 10 computers soon. I've run across an issue that works with our old MIT KfW/OpenAFS 1.3.31 configuration.
When logging in as the domain administrator, I see domain administrator Kerberos tickets displayed in NIM (v. 2.5.0.106). However, when I try to fetch a ticket for myself user@KERB_REALM (which uses an old KDC that still relies on weak encryption types), I get an error I can not obtain a ticket and maybe I should turn on the "allow weak encryption types" option that is already enabled in NIM and specified in \ProgramData\Kerberos\krb5.conf Normal users in our Windows domain are authenticated against the same KDC used for obtaining OpenAFS credentials using altIdentity definitions in Active Directory. Group policy enables various weak encryption types until we can upgrade that KDC. At login, the client computer is able to authenticate against the KDC and obtain a ticket/token for the user. Any suggestions for allowing the domain administrator users, which is authenticated directly against our Active Directory domain controllers, to be able to obtain a user Kerberos ticfket/AFS token? This wasn't a problem using MIT KfW 3.2.2. John Perkins UW-Madison Computer Sciences
