[OpenAFS] enctypes supported by openafs 1.6.1?

Anders Lennartsson anders@lennartsson.se
Mon, 13 May 2013 08:07:02 +0200

On Sun, 2013-05-12, at 19:35:24 -0400, Benjamin Kaduk wrote:
> On Sat, 11 May 2013, Anders Lennartsson wrote:
> >What enctypes are actually supported by OpenAFS 1.6.1?
> >
> >I recently upgraded from 1.4 to 1.6.1 (in Debian Wheezy) by a new
> >install. There are several computers: a Heimdal 1.6 kdc, a 1.6.1 afs
> >service, and some Linux and Windows 7 clients.
> >
> >An afs principal with (only) a des-cbc-md5 key works fine with Linux
> >clients. But the Heimdal 1.5.1 for Windows refuses to get afs tokens
> >based on that.
> >
> >After replacing afs principal with one having only a des-cbc-crc key
> >(and extracting a new KeyFile etc) both Linux and Windows clients work
> >fine.
> >
> >Why is this so?
> This is before my time, but I believe that MIT krb5 blacklists
> des-cbc-md5 due to there once having been a deployed buggy
> implementation.  (I did not think Heimdal was affected, though.)
> des-cbc-crc and des-cbc-md5 keys are usable equivalently by AFS, of
> course.
> You did not say which version of OpenAFS the windows client runs.
> -Ben Kaduk

The following versions are playing here:

Heimdal KDC 1.6~git20120403+dfsg1-2 (Debian Wheezy)
OpenAFS [db|file]server 1.6.1-3 (Debian Wheezy)

Linux clients
OpenAFS Linux 1.6.1-3
Heimdal client stuff 1.6~git20120403+dfsg1-2 (Debian Wheezy)

Windows clients
Heimdal 1.5.1 (Secure Endpoints)
Network Identity Manager 2.0 (Secure Endpoints)
OpenAFS Client 1.7.21 or 1.7.24

All computers have allow_weak_crypto = true in the corresponding krb
configuration file.

Linux servers and clients work fine with either des-cbc-md5 or
des-cbc-crc keytype in the afs principal. Windows clients can not get
afs tokens if des-cbc-md5 keytype is used, but works fine if
des-cbc-crc is used.

On the page http://wiki.openafs.org/AdminFAQ/, question 3.56 (perhaps
recently added?) an explanation is given (for the error number I got)
that des-cbc-crc must be used. I would have guessed that des-cbc-md5
could also be used, at least with Windows 1.7.x clients.

In summary, I seek confirmation that this applies to 1.7 Win clients
and perhaps an explanation why des-cbc-md5 works on Linux but not Win.