[OpenAFS] Re: aklog error: unknown RPC error (-1765328184) while getting AFS tickets allow_weak_enctypes may be required in the Kerberos configuration

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 11 Nov 2013 18:03:26 -0500

On Fri, 2013-11-08 at 10:19 -0600, Andrew Deason wrote:

> Part of the protocol that OpenAFS uses for authenticated communication
> over the network uses a short-term DES key. Semi-recently, Kerberos
> implementations started not allowing DES to be used by default, to
> encourage people to not use DES, and to make the usage of DES more
> visible. With OpenAFS, you currently do not have a choice, and we must
> get a DES key from Kerberos, since that is the only thing the rxkad
> protocol allows.

You mean, unless you've upgraded your servers to 1.6.5 or newer, have
provisioned them with an rxkad.keytab containing non-DES service keys,
and are using a sufficiently recent aklog, such as the one from 1.6.5.
When those conditions are satisfied, you still end up using fcrypt, but
you don't need Kerberos tickets with DES keys.  See OPENAFS-SA-2013-003
for more information.  Visit https://www.openafs.org/security/ for a
list of OpenAFS security advisories including, in this case, detailed
instructions on deploying OpenAFS with non-DES keys.

Note that this doesn't change the fact that you are and will be using a
relatively weak modified DES for data encryption until rxgk is ready.
However, the point of rxkad-kdf is to eliminate the need for the KDC or
any part of Kerberos to know or care that you are using DES, which is
the cause of the error in question.

-- Jeff