[OpenAFS] ADS and MIT Kerberos transition auth continued

Russ Allbery rra@stanford.edu
Thu, 16 Jul 2009 11:52:24 -0700

Eric Chris Garrison <ecgarris@iupui.edu> writes:

> So, we got a des-crc-md5 service principal from our ADS admin.  Now the
> ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on
> the server side.
> After aklog, this is what klist shows for afs/afstest.iu.edu:
> 07/16/09 14:43:22  07/17/09 00:43:12  afs/afstest.iu.edu@ADS.IU.EDU
>         renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode
> with CRC-32, DES cbc mode with RSA-MD5
> In FileLog:
> Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0
> That 0 should be 2 for properly authenticated connections. At first it
> failed because the enctype wasn't supported.  Now that they have that
> DES flag set in the kdc, it fails because it can't decrypt the encrypted
> part of the k5 ticket.

Did you update KeyFile with the new service principal that you got from
your ADS admin and make sure that the kvno in KeyFile matches the kvno in
Active Directory?

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>