[OpenAFS] Unable to get tokens after replacing Win2k3 DC with a Win2k8 DC

Ken Dreyer ktdreyer@ktdreyer.com
Tue, 19 Apr 2011 21:49:35 -0600

On Mon, Apr 18, 2011 at 1:06 PM, Thomas Smith <theitsmith@gmail.com> wrote:
> It seems that this RODC is creating issues for us. What appears to be
> happening is the RODC issues the server a TGT. When the server
> attempts to acquire a TGS, the RODC forwards the request to an RWDC
> but that server doesn't honor the TGT issued by the RODC. We were able
> to workaround this issue by forcing kerberos to connect to an RWDC. We
> verified functionality by successfully enumerating AD user accounts.
> With kerberos working now, and with DES-CBC-MD5 enabled, we are still
> getting at the same RPC error. It's my understanding that AFS uses the
> local krb5 install for authentication--is this the case?

Just a guess, from a Kerberos newbie: fire up wireshark and see what
type your client is asking for in the AS-REQ and/or TGS-REQ. I believe
Microsoft's RODCs insist on NT_SRV_INST, and AFS's aklog may be
failing because the principal type is NT_UNKNOWN. It would match your
"Decrypt integrity check failed" error.

See the discussions at
MIT: http://permalink.gmane.org/gmane.comp.encryption.kerberos.devel/9232
Heimdal: http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5586
Samba: http://lists.samba.org/archive/samba-technical/2010-September/073493.html