[OpenAFS] Kerberos5 and afs

Christopher D. Clausen cclausen@acm.org
Thu, 15 Nov 2007 17:32:04 -0600

Steve Devine <sdevine@msu.edu> wrote:
> Does the order of the enctypes listed in the kdc affect this?
> This is my current kdc.conf entry:
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
> I'm not sure how to manipulate the kvno on the AD

I currently have the following on a KDC with an AD domain trust:
supported_enctypes = aes256-cts:normal aes128-cts:normal rc4-hmac:normal 
des3-hmac-sha1:normal des-cbc-crc:normal

I suspect that you may want at least the rc4-hmac:normal in that list, 
as that is one of the enc_types that AD supports.

I remember that I had no luck getting the trust to work when using 
specific enc_types in the -e option to ktadd.  Completely omiting the 
"-e" seemed to work though.  This could be something odd in my 
environment though.

For instance, my cross-realm TGT has AES enc_types that are not actually 
supported by Windows:

kadmin.local:  getprinc krbtgt/ILLIGAL.UIUC.EDU@AD.UIUC.EDU
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt

You can turn on RC4 for the realm trust using ktpass.exe.

If you join #kerberos on Freenode IRC there are smart people in the 
channel who can help you with this.