[OpenAFS] ADS and MIT Kerberos transition auth continued

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 16 Jul 2009 15:12:32 -0400

Eric Chris Garrison wrote:
> Okay, we continue to fight this.  We found that despite having an
> alternate realm name in /usr/afs/etc/krb.conf, users from that realm were
> being treated as unauthorized, anonymous users, rather than being mapped
> as they should be.
> We looked into enctypes as a possible culprit.  We were using des-cbc-crc,
> but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can
> not restrict it to just one type, but can restrict it to just DES types.
> (The ADS admin said they set the "Use Kerberos DES encryption types" flag).

des-cbc-md5 is fine.  after you set the DES-only bit you need to
generate assign a new password for the account and re-export the keytab
with a new kvno which then needs to be imported into the AFS KeyFile

Jeffrey Altman