[OpenAFS] RHEL6 allow_weak_crypto in client krb5.conf

Simon Wilkinson sxw@inf.ed.ac.uk
Tue, 22 Nov 2011 20:52:28 +0000

On 22 Nov 2011, at 20:28, Jeff Blaine wrote:

> I'm a little confused.  I just had to turn on
> allow_weak_crypto in a RHEL6 kerberos client's
> /etc/krb5.conf to be able to aklog.
> My understanding was that this setting was only
> needed on the KDCs, which until now, has been
> working fine since we upgraded our KDCs to 1.9.

You need the setting on the KDCs, because otherwise they won't issue any =
single DES tickets, regardless of the encryption types set for the =
afs/<cell> principal. But ...

> Is that just because our other clients are (they
> are) running sub-1.9 MIT Kerberos so we didn't hit
> this?

You also need this setting on all of your clients, because otherwise you =
won't be able to get any single DES tickets. This has been the case =
since MIT Kerberos 1.8.

In later versions of OpenAFS we work round this by having aklog use a =
krb5 function to enable weak crypto for that specific context, but I =
guess you aren't using that version of OpenAFS yet.