[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Ken Hornstein
kenh@cmf.nrl.navy.mil
Fri, 08 Jul 2022 09:53:26 -0400
> The problem is that we (well, at least me!) have no idea which enctype=
=
>is expected, and which enctypes are actually tried. Debug output is not =
>too helpful here. Any ideas on how to get useful information?
You said you rekeyed your AFS environment with an AES256 key, but
the error message says:
"error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (=
enctype=3D1) on behalf of ....: No credentials found with supported encryp=
tion types"
Enctype 1 is ... single-DES (specifically, des-cbc-crc). So you're asking
for a single-DES key but the server only supports AES256, so that isn't
surprising you get that error. Is the client code limiting the enctype
to single-DES? If so, that's your problem.
--Ken