[OpenAFS] Kerberos 1.10.1 and OpenAFS

Steve Devine sd@msu.edu
Wed, 4 Apr 2012 10:04:18 -0400

MSU is preparing to upgrade from MIT Kerberos 1.6x to 1.10.1. While
doing some testing of client access I discovered that I was not able to
get a token (aklog) after kinit-ing to the test server.
In order to make this work we needed to put the following line in the
/etc/krb5.conf on the Kerberos KDC.
allow_weak_crypto = true

This seems odd to me. I expected to need doing this on the client side
not the server. This is related to the afs principal in the KDC no
doubt, but I'm not sure why.  Any thoughts?

If this question belongs on the Kerberos list let me know. 


Steve Devine
Content and Collaboration
Information Technology Services
Michigan State University