[OpenAFS] Force crypto type

Davis, Adam adam.davis@imperial.ac.uk
Wed, 24 Aug 2005 16:26:14 +0100

>From what I read with Win-2003 SP1 KDC you can force the encryption type
to be something that AFS can use. i.e cbc-crc cbc-md5

I have tried all the following without success in krb5.conf

      default_tkt_enctypes =3D des-cbc-crc,des-cbc-md5
      default_tgs_enctypes =3D des-cbc-crc,des-cbc-md5
      default_etypes =3D des-cbc-crc,des-cbc-md5
      default_etypes_des =3D des-cbc-crc,des-cbc-md5
      permitted_enctypes =3Ddes-cbc-crc des-cbc-md5 des-cbc-crc

I can force the skey part of the Etype to be CRC by the looks of it but
I still end up with ArcFour MD5 in the second part.

-bash-2.05b# klist -e -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1@IC.AC.UK
Valid starting     Expires            Service principal
08/24/05 13:15:23  08/24/05 23:15:23  krbtgt/IC.AC.UK@IC.AC.UK
        Flags: IA, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour
with HMAC/md5=20
08/24/05 13:16:11  08/24/05 23:15:23  afs/ic.ac.uk@IC.AC.UK
        Flags: A, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc
mode with RSA-MD5

Am I missing something here ? I am guessing that this is not working
because of the encryption type and not something else I am doing wrong=20