[OpenAFS] Kerberos 1.10.1 and OpenAFS

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 04 Apr 2012 10:23:03 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The 1.10 Kerberos distribution does not support weak encryption types
such as DES out of the box.  If you do not explicitly enable support for
weak encryption types it won't matter what keys you have on service
principals or what other configuration is specified, weak encryption
keys simply will not be used.   This is an incremental step towards the
removal of weak encryption types such as DES from the Kerberos ecosystem.=

The AFS service principal must have a working DES key.  If it doesn't,
you cannot obtain service tickets for AFS that are usable.

On 4/4/2012 10:04 AM, Steve Devine wrote:
> MSU is preparing to upgrade from MIT Kerberos 1.6x to 1.10.1. While
> doing some testing of client access I discovered that I was not able to=

> get a token (aklog) after kinit-ing to the test server.
> In order to make this work we needed to put the following line in the
> /etc/krb5.conf on the Kerberos KDC.
> allow_weak_crypto =3D true
> This seems odd to me. I expected to need doing this on the client side
> not the server. This is related to the afs principal in the KDC no
> doubt, but I'm not sure why.  Any thoughts?
> If this question belongs on the Kerberos list let me know.=20
> Thanks
> Steve Devine
> Content and Collaboration
> Information Technology Services
> Michigan State University
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)